Top

International Journal of Information Security

Published in:

13-02-2021 | regular contribution

DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules

Authors: Hee Yeon Kim, Ji Hoon Kim, Ho Kyun Oh, Beom Jin Lee, Si Woo Mun, Jeong Hoon Shin, Kyounggon Kim

Published in: International Journal of Information Security | Issue 1/2022

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The safe maintenance of Node.js modules is critical in the software security industry. Most server-side web applications are built on Node.js, an environment that is highly dependent on modules. However, there is clear lack of research on Node.js module security. This study focuses particularly on prototype pollution vulnerability, which is an emerging security vulnerability type that has also not been studied widely. To this point, the main goal of this paper is to propose patterns that can identify prototype pollution vulnerabilities. We developed an automatic static analysis tool called DAPP, which targets all the real-world modules registered in the Node Package Manager. DAPP can discover the proposed patterns in each Node.js module in a matter of a few seconds, and it mainly performs and integrates a static analysis based on abstract syntax tree and control flow graph. This study suggests an improved and efficient analysis methodology. We conducted multiple empirical tests to evaluate and compare our state-of-the-art methodology with previous analysis tools, and we found that our tool is exhaustive and works well with modern JavaScript syntax. To this end, our research demonstrates how DAPP found over 37 previously undiscovered prototype pollution vulnerabilities among 30,000 of the most downloaded Node.js modules. To evaluate DAPP, we expanded the experiment and ran our tool on 100,000 Node.js modules. The evaluation results show a high level of performance for DAPP along with the root causes for false positives and false negatives. Finally, we reported the 37 vulnerabilities, respectively, and obtained 24 CVE IDs mostly with 9.8 CVSS scores.

next article A new smart smudge attack using CNN

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Acorn.: acorn (2019). https://www.npmjs.com/package/acorn. Online; Accessed 10 Dec 2019

Arteau, O.: Holyvier/prototype-pollution-nsec18 (2018). https://github.com/HoLyVieR/prototype-pollution-nsec18. Online; Accessed 10 Aug 2020

Babel-eslint.: babel-eslint (2019). https://www.npmjs.com/package/babel-eslint. Online; Accessed 10 Dec 2019

Christensen, H.K., Brodal, G.S.: Algorithms for finding dominators in directed graphs. PhD thesis, Aarhus Universitet, Datalogisk Institut (2016)

Davis, J., Thekumparampil, A., Lee, D.: Node. fz: fuzzing the server-side event-driven architecture. In: Proceedings of the Twelfth European Conference on Computer Systems, pp. 145–160. ACM (2017)

De Groef, W., Massacci, F., Piessens, F.: Nodesentry: least-privilege library integration for server-side Javascript. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 446–455. ACM (2014)

Duračík, M., Kršák, E., Hrkút, P.: Current trends in source code analysis, plagiarism detection and issues of analysis big datasets. Procedia Eng. 192, 136–141 (2017)

Esgraph.: esgraph (2019). https://www.npmjs.com/package/esgraph. Online; Accessed 10 Dec 2019

Gauthier, F., Hassanshahi, B., Jordan, A.: A ffogato: runtime detection of injection attacks for node.js. In: Companion Proceedings for the ISSTA/ECOOP 2018 Workshops, pp. 94–99. ACM (2018)

10.

Georgiadis, L., Tarjan, R.E., Werneck, R.F.: Finding dominators in practice. J. Graph Algorithms Appl. 10(1), 69–94 (2006)MathSciNetCrossRef

11.

Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv.: CSUR 50(4), 56 (2017)

12.

Gong, L., Pradel, M., Sridharan, M., Sen, K.: Dlint: dynamically checking bad coding practices in javascript. In: Proceedings of the 2015 International Symposium on Software Testing and Analysis, pp. 94–105. ACM (2015)

13.

Grieco, G., Grinblat, G.L., Uzal, L., Rawat, S., Feist, J., Mounier, L.: Toward large-scale vulnerability discovery using machine learning. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 85–96. ACM (2016)

14.

Gupta, R.: Generalized dominators and post-dominators. In: Proceedings of the 19th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 246–257. ACM (1992)

15.

Hidayat, A. esprima (2018). https://www.npmjs.com/package/esprima, https://esprima.org/. Online; Accessed 10 Dec 2019

16.

Holland, B., Santhanam, G.R., Awadhutkar, P., Kothari, S.: Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities. In: 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 79–84. IEEE (2016)

17.

Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy (S&P’06), pp. 6–pp. IEEE (2006)

18.

Lengauer, T., Tarjan, R.E.: A fast algorithm for finding dominators in a flowgraph. ACM Trans. Program. Lang. Syst.: TOPLAS 1(1), 121–141 (1979)CrossRef

19.

Madsen, M., Tip, F., Lhoták, O.: Static analysis of event-driven node.js Javascript applications. In: ACM SIGPLAN Notices, vol. 50, pp. 505–519. ACM (2015)

20.

Murthy, P.K.: Constructing a control flow graph for a software program, February 3 (2015). US Patent 8,949,811

21.

nodejs.: nodejs (2019). https://nodejs.org/en/about/. Online; Accessed 10 Dec 2019

22.

Ojamaa, A., Düüna, K.: Assessing the security of node.js platform. In: 2012 International Conference for Internet Technology and Secured Transactions, pp. 348–355. IEEE (2012)

23.

OWASP: Owasp dependency check (2019). https://www.owasp.org/index.php/OWASP_Dependency_Check. Online; Accessed 10 Dec 2019

24.

Patel, P.R.: Existence of Dependency-Based Attacks in NodeJS Environment. In: Creative Components. 91 (2018). https://lib.dr.iastate.edu/creativecomponents/91. Accessed 10 Dec 2019

25.

Patnaik, N., Sahoo, S.: Javascript static security analysis made easy with jsprime. Blackhat USA (2013)

26.

Pfretzschner, B., ben Othmane, L.: Identification of dependency-based attacks on node.js. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, p. 68. ACM (2017)

27.

Quinlan, D.J., Vuduc, R.W., Misherghi, G.: Techniques for specifying bug patterns. In: Proceedings of the 2007 ACM Workshop on Parallel and Distributed Systems: Testing and Debugging, pp. 27–35. ACM (2007)

28.

Retire.js.: Retire.js (2019). https://retirejs.github.io/retire.js/. Online; Accessed 10 Dec 2019

29.

Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W.: Predicting vulnerable software components via text mining. IEEE Trans. Softw. Eng. 40(10), 993–1006 (2014)CrossRef

30.

Sen, K., Kalasapur, S., Brutch, T., Gibbs, S.: Jalangi: a selective record-replay and dynamic analysis framework for Javascript. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 488–498. ACM (2013)

31.

Sharir, M.: A strong-connectivity algorithm and its applications in data flow analysis. Comput. Math. Appl. 7(1), 67–72 (1981)MathSciNetCrossRef

32.

Snyk: Prototype pollution (2019a). https://snyk.io/vuln/SNYK-JS-JQUERY-174006. Online; Accessed 10 Dec 2019

33.

Snyk: Snyk (2019b). https://github.com/snyk/snyk. Online; Accessed 10 Dec 2019

34.

SourceClear: Sourceclear (2019). https://www.sourceclear.com/. Online; Accessed 10 Dec 2019

35.

Staicu, C.-A., Pradel, M., Livshits, B.: Understanding and automatically preventing injection attacks on node.js. Technical report, Technical Report TUD-CS-2016-14663, TU Darmstadt, Department of Computer Science (2016)

36.

Sun, H., Bonetta, D., Humer, C., Binder, W.: Efficient dynamic analysis for node.js. In: Proceedings of the 27th International Conference on Compiler Construction, pp. 196–206. ACM (2018)

37.

Tao, G., Guowei, D., Hu, Q., Baojiang, C.: Improved plagiarism detection algorithm based on abstract syntax tree. In: 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies, pp. 714–719. IEEE (2013)

38.

Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX Security Symposium, vol. 15, pp. 179–192 (2006)

39.

Yamaguchi, F., Lindner, F., Rieck, K.: Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning. In: Proceedings of the 5th USENIX Conference on Offensive Technologies, pp. 13. USENIX Association (2011)

40.

Yamaguchi, F., Lottmann, M., Rieck, K.: Generalized vulnerability extrapolation using abstract syntax trees. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 359–368. ACM (2012)

41.

Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp. 590–604. IEEE (2014)

42.

Zhao, J., Xia, K., Fu, Y., Cui, B.: An ast-based code plagiarism detection algorithm. In: 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA), pp. 178–182. IEEE (2015)

43.

Zheng, M., Pan, X., Lillis, D.: Codex: source code plagiarism detection based on abstract syntax tree. In: AICS, pp. 362–373 (2018)

Title: DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules
Authors: Hee Yeon Kim
Ji Hoon Kim
Ho Kyun Oh
Beom Jin Lee
Si Woo Mun
Jeong Hoon Shin
Kyounggon Kim
Publication date: 13-02-2021
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 1/2022
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-020-00537-0

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2022

Privacy preserving data sharing and analysis for edge-based architectures

[m]allotROPism: a metamorphic engine for malicious software variation development

Public key versus symmetric key cryptography in client–server authentication protocols

Automatic analysis of attack graphs for risk mitigation and prioritization on large-scale and complex networks in Industry 4.0

Track for surveys

A new smart smudge attack using CNN

Premium Partner