Extracting taint specifications for JavaScript libraries
Cristian-Alexandru Staicu, Martin Toldam Torp, Max Schäfer, Anders Møller, Michael Pradel
Abstract
Modern JavaScript applications extensively depend on third-party libraries. Especially for the Node.js platform, vulnerabilities can have severe consequences to the security of applications, resulting in, e.g., cross-site scripting and command injection attacks. Existing static analysis tools that have been developed to automatically detect such issues are either too coarse-grained, looking only at package dependency structure while ignoring dataflow, or rely on manually written taint specifications for the most popular libraries to ensure analysis scalability.
Topics & Concepts
Computer scienceJavaScriptTaint checkingProgramming languageDatabaseWorld Wide WebSoftwareAdvanced Malware Detection TechniquesSecurity and Verification in ComputingSoftware Testing and Debugging Techniques