Graph-based JavaScript bug scanner finds over 100 zero-day vulnerabilities in Node.js libraries

Ben Dixon Aug 30, 2022 11:13 UTC

Updated: Nov 24, 2022 13:47 UTC

The ODGen tool was announced at this year’s Usenix Security Symposium

Researchers at Johns Hopkins University have developed a graph-based code analysis tool that can detect various vulnerabilities in JavaScript programs.

Called ODGen, the tool was announced at this year’s Usenix Security Symposium and addresses several challenges that have limited the use of graph-based security tools in analyzing JavaScript programs.

Researchers have proven its effectiveness by applying ODGen to thousands of Node.js libraries. There, 180 zero-day vulnerabilities were found and received 70 CVEs.

graph-based method

A graph-based scanner analyzes source code files and builds a graph structure that represents the various properties and execution branches of your application. You can use this graph to model and detect vulnerabilities in your source code.

A graph query-based approach has proven to be very effective in detecting vulnerabilities in some programming languages. One technique in particular, Code Property Graph (CPG), has proven successful in securing C/C++ and PHP code.

Recommended Critical command injection vulnerabilities found in Bitbucket Server and Data Center

Inspired by the success of graph methods (especially CPG), researchers at Johns Hopkins University tried to apply them to JavaScript. There are various tools for finding specific vulnerabilities in JavaScript code, but graph-based tools promise to provide a general framework for finding all kinds of vulnerabilities.

“JavaScript, especially Node.js, is becoming an important community these days with millions of packages,” said Yinzhi Cao, co-author of the paper and assistant professor of computer science at Johns Hopkins University. I’m here. Daily Swig.

“At the same time, many of these NPM packages are poorly maintained and vulnerabilities are prevalent in the NPM ecosystem. “

However, their initial findings showed that CPG is not very effective in JavaScript. This is due to the dynamic structure of the language, which makes it much more difficult to parse and analyze object relationships and program branches before execution.

“CPG does not model detailed object relationships, including (i) prototype chains and (ii) object-level data flow. It’s hard to apply CPGs, and it’s hard to model fine-grained, object-level data flows with CPGs,” says Cao.

object dependency graph

In their paper, the researchers propose Object Dependency Graphs (ODG) as a new way to create graphs from JavaScript code. ODG uses some of the components of CPG, such as Abstract Syntax Trees (AST), and adds features unique to JavaScript, such as fine-grained data dependencies between objects. Therefore, the researcher created his ODGen, a tool for creating and querying ODGs.

“The ODGen we propose abstractly interprets JavaScript code and generates a so-called object dependency graph to capture dynamic functionality, including object relationships. , we can easily obtain such information and detect vulnerabilities,” said Cao.

Read more about the latest information security research news

Researchers designed ODGen to detect vulnerabilities at the application and package level. They tested against 330 documented vulnerabilities across 16 categories, including cross-site scripting (XSS), server-side and client-side request forgery (SSRF/CSRF), SQL injection, prototype poisoning, and command injection. I tested the tool.

The tool was able to detect 13 vulnerabilities with very high accuracy, detecting 302 out of 330 bugs.

They extended their tests by crawling 300,000 NPM packages and applying ODGen to discover queries using graph queries. ODGen reported about 3,000 security bugs. The researchers found that 264 of them belonged to libraries that were downloaded more than 1,000 times each week. They were able to identify and report 180 security bugs. Many of them were in libraries widely used in web applications. Of the vulnerabilities discovered, 70 were assigned his CVE.

ODGen knows how much more needs to be done to secure the open source JavaScript ecosystem, and how to adapt existing tools to develop a holistic approach to securing Node.js libraries. It shows how useful it is.

In the future, Cao said, the team may extend ODGen to other programming languages ​​used in web applications, such as PHP and Java.

If you don’t mind Ethereum Foundation Offers $1M Bug Bounty Payout Using Proof-of-Stake Transition Multiplier