التفاصيل البيبلوغرافية
| العنوان: |
DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules. |
| المؤلفون: |
Kim, Hee Yeon1 (AUTHOR), Kim, Ji Hoon1 (AUTHOR), Oh, Ho Kyun1 (AUTHOR), Lee, Beom Jin2 (AUTHOR), Mun, Si Woo3 (AUTHOR), Shin, Jeong Hoon4 (AUTHOR), Kim, Kyounggon5 (AUTHOR) kkim@nauss.edu.sa |
| المصدر: |
International Journal of Information Security. Feb2022, Vol. 21 Issue 1, p1-23. 23p. |
| مصطلحات موضوعية: |
*POLLUTION, *PROTOTYPES, FLOWGRAPHS, COMPUTER software security |
| مستخلص: |
The safe maintenance of Node.js modules is critical in the software security industry. Most server-side web applications are built on Node.js, an environment that is highly dependent on modules. However, there is clear lack of research on Node.js module security. This study focuses particularly on prototype pollution vulnerability, which is an emerging security vulnerability type that has also not been studied widely. To this point, the main goal of this paper is to propose patterns that can identify prototype pollution vulnerabilities. We developed an automatic static analysis tool called DAPP, which targets all the real-world modules registered in the Node Package Manager. DAPP can discover the proposed patterns in each Node.js module in a matter of a few seconds, and it mainly performs and integrates a static analysis based on abstract syntax tree and control flow graph. This study suggests an improved and efficient analysis methodology. We conducted multiple empirical tests to evaluate and compare our state-of-the-art methodology with previous analysis tools, and we found that our tool is exhaustive and works well with modern JavaScript syntax. To this end, our research demonstrates how DAPP found over 37 previously undiscovered prototype pollution vulnerabilities among 30,000 of the most downloaded Node.js modules. To evaluate DAPP, we expanded the experiment and ran our tool on 100,000 Node.js modules. The evaluation results show a high level of performance for DAPP along with the root causes for false positives and false negatives. Finally, we reported the 37 vulnerabilities, respectively, and obtained 24 CVE IDs mostly with 9.8 CVSS scores. [ABSTRACT FROM AUTHOR] |
|
Copyright of International Journal of Information Security is the property of Springer Nature and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) |
| قاعدة البيانات: |
Business Source Index |
Full Text Finder