Test Suites Guided Vulnerability Validation for Node.js Applications
Pages 570 - 584
Abstract
Dynamic methods have shown great promise in validating vulnerabilities and generating Proof-of-Concept (PoC) exploits of Node.js applications. They typically rely on dictionaries or specifications to determine the values of request parameters and their relationships. However, they still struggle to generate complex inputs from the provided dictionaries or specifications.
This work introduces a novel approach that utilizes existing test suites to automatically generate end-to-end application inputs for vulnerability validation. Our key observation is that Node.js applications often provide comprehensive test suites - in our study, the unit testing code can cover an average of 85% of application code - which can hardly be achieved by existing dynamic methods. We thus design a new system, JSGo, that leverages test suites to construct end-to-end test inputs. Since test suites directly invoke application code instead of issuing requests from client-accessible entry points, we cannot simply transform test suites into application inputs. We instead propose a novel trace-guided mutation mechanism based on concolic execution.
Our evaluation demonstrates that JSGo could reproduce 20 out of 26 known vulnerabilities, which significantly outperformed the state-of-the-art methods Restler, Miner, Witcher, and Burp by 10, 12, 11, 10 more cases, respectively. We also applied JSGo to validate static analysis results in popular Node.js applications such as hexo. It successfully validated seven vulnerabilities, two of which have been patched because of our reports.
References
[1]
Marco Abbadini, Dario Facchinetti, Gianluca Oldani, Matthew Rossi, and Stefano Paraboschi. 2023. NatiSand: Native code sandboxing for JavaScript runtimes. In Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses.
[2]
Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H Phung, Lieven Desmet, and Frank Piessens. 2012. JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC).
[3]
Abdullah Alhamdan and Cristian-Alexandru Staicu. 2023. SandDriller: A Fully-Automated Approach for Testing Language-Based JavaScript Sandboxes. In Proceedings of the 32nd USENIX Security Symposium (Security). Anaheim, CA, USA.
[4]
Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and VN Venkatakrishnan. 2018. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications. In Proceedings of the 27th USENIX Security Symposium (Security). Baltimore, MD.
[5]
Vaggelis Atlidakis, Patrice Godefroid, and Marina Polishchuk. 2019. Restler: Stateful rest api fuzzing. In Proceedings of the 41st International Conference on Software Engineering (ICSE). Montréal, Canada.
[6]
Zhihao Bai, Ke Wang, Hang Zhu, Yinzhi Cao, and Xin Jin. 2021. Runtime recovery of web applications under zero-day redos attacks. In Proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[7]
Gabriele Bavota, Abdallah Qusef, Rocco Oliveto, Andrea De Lucia, and David Binkley. 2012. An empirical analysis of the distribution of unit test smells and their impact on software maintenance. In 2012 28th IEEE international conference on software maintenance (ICSM). IEEE.
[8]
bcoe. 2024. c8 - native V8 code-coverage. https://www.npmjs.com/package/c8.
[9]
Masudul Hasan Masud Bhuiyan, Adithya Srinivas Parthasarathy, Nikos Vasilakis, Michael Pradel, and Cristian-Alexandru Staicu. 2023. SecBench. js: An executable security benchmark suite for server-side JavaScript. In Proceedings of the 45th International Conference on Software Engineering (ICSE). Melbourne, Australia.
[10]
Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. 2017. Directed greybox fuzzing. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS). Dallas, TX, USA.
[11]
Brainhub. 2023. Famous Node JS Apps. https://brainhub.eu/library/famous-apps-built-with-nodejs.
[12]
Stefano Calzavara, Mauro Conti, Riccardo Focardi, Alvise Rabitti, and Gabriele Tolomei. 2019. Mitch: A machine learning approach to the black-box detection of CSRF vulnerabilities. In 2019 IEEE European Symposium on Security and Privacy.
[13]
Libo Chen, Yanhao Wang, Quanpu Cai, Yunfan Zhan, Hong Hu, Jiaqi Linghu, Qinsheng Hou, Chao Zhang, Haixin Duan, and Zhi Xue. 2021. Sharing more and checking less: Leveraging common input keywords to detect bugs in embedded systems. In Proceedings of the 30th USENIX Security Symposium (Security). Virtual Event.
[14]
code intelligence. 2024. CVE-2023--36665. https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023--36665.
[15]
code intelligence. 2024. CVE-2024--39853. https://gist.github.com/mestrtee/840f5d160aab4151bd0451cfb822e6b5.
[16]
codeql. 2024. Discover vulnerabilities across a codebase with CodeQL. https://codeql.github.com/.
[17]
dev.to. 2023. Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples. https://dev.to/lirantal/securing-your-nodejs-apps-by-analyzing-real-world-command-injection-examples-1ll6.
[18]
Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box web vulnerability scanner. In Proceedings of the 21st USENIX Security Symposium (Security). Bellevue, WA, USA.
[19]
Wenlong Du, Jian Li, Yanhao Wang, Libo Chen, Ruijie Zhao, Junmin Zhu, Zhengguang Han, Yijun Wang, and Zhi Xue. 2024. Vulnerability-oriented Testing for RESTful APIs. (Aug. 2024).
[20]
Benjamin Eriksson, Giancarlo Pellegrino, and Andrei Sabelfeld. 2021. Black widow: Blackbox data-driven web scanning. In Proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[21]
José Fragoso Santos, Petar Maksimovi?, Gabriela Sampaio, and Philippa Gardner. 2019. JaVerT 2.0: Compositional symbolic execution for JavaScript. Proceedings of the ACM on Programming Languages (Jan. 2019).
[22]
Patrice Godefroid, Bo-Yuan Huang, and Marina Polishchuk. 2020. Intelligent REST API data fuzzing. In Proceedings of the 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE). Sacramento, CA, USA.
[23]
Emre Güler, Sergej Schumilo, Moritz Schloegel, Nils Bars, Philipp Görz, Xinyi Xu, Cemal Kaygusuz, and Thorsten Holz. 2024. Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities. In Proceedings of the 33rd USENIX Security Symposium (Security). Philadelphia, PA, USA.
[24]
infosecinstitute. 2024. Dictionary attack using Burp Suite. https://www.infosecinstitute.com/resources/hacking/dictionary-attack-using-burp-suite/.
[25]
istanbuljs. 2024. Istanbul's state of the art command line interface. https://www.npmjs.com/package/nyc.
[26]
Jasmine. 2024. Jasmine is a Behavior Driven Development testing framework for JavaScript. https://github.com/jasmine/jasmine.
[27]
Bokdeuk Jeong, Joonun Jang, Hayoon Yi, Jiin Moon, Junsik Kim, Intae Jeon, Taesoo Kim, WooChul Shim, and Yong Ho Hwang. 2023. Utopia: Automatic generation of fuzz driver using unit tests. In Proceedings of the 44th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[28]
Jest. 2024. Jest is a delightful JavaScript Testing Framework with a focus on simplicity. https://jestjs.io/.
[29]
Mingqing Kang, Yichao Xu, Song Li, Rigel Gjomemo, Jianwei Hou, VN Venkatakrishnan, and Yinzhi Cao. 2023. Scaling javascript abstract interpretation to detect and exploit node. js taint-style vulnerability. In Proceedings of the 44th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[30]
Zifeng Kang, Song Li, and Yinzhi Cao. 2022. Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites. In Proceedings of the 2022 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA.
[31]
Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the attack surface of node.js applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID).
[32]
Piergiorgio Ladisa, Henrik Plate, Matias Martinez, and Olivier Barais. 2023. Sok: Taxonomy of attacks on open-source software supply chains. In Proceedings of the 44th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[33]
Suyoung Lee, HyungSeok Han, Sang Kil Cha, and Sooel Son. 2020. Montage: A neural network language Model-Guided JavaScript engine fuzzer. In Proceedings of the 29th USENIX Security Symposium (Security). Virtual Event.
[34]
Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2022. Mining node. js vulnerabilities via object dependence graph and query. In Proceedings of the 31st USENIX Security Symposium (Security). Boston, MA, USA.
[35]
Yeting Li, Yecheng Sun, Zhiwu Xu, Jialun Cao, Yuekang Li, Rongchen Li, Haiming Chen, Shing-Chi Cheung, Yang Liu, and Yang Xiao. 2022. RegexScalpel: Regular Expression Denial of Service (ReDoS) Defense by Localize-and-Fix. In Proceedings of the 31st USENIX Security Symposium (Security). Boston, MA, USA.
[36]
Yinxi Liu, Mingxue Zhang, and Wei Meng. 2021. Revealer: Detecting and exploiting regular expression denial-of-service vulnerabilities. In Proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[37]
Zhengyu Liu, Kecheng An, and Yinzhi Cao. 2024. Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node. js Template Engines for Malicious Consequences. In Proceedings of the 45th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[38]
Blake Loring, Duncan Mitchell, and Johannes Kinder. 2017. ExpoSE: practical symbolic execution of standalone JavaScript. In Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software.
[39]
Changhua Luo, Wei Meng, and Penghui Li. 2023. SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration. In Proceedings of the 44th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[40]
Chenyang Lyu, Jiacheng Xu, Shouling Ji, Xuhong Zhang, Qinying Wang, Binbin Zhao, Gaoning Pan, Wei Cao, Peng Chen, and Raheem Beyah. 2023. MINER: A Hybrid Data-Driven Approach for REST API Fuzzing. In Proceedings of the 32nd USENIX Security Symposium (Security). Anaheim, CA, USA.
[41]
Mocha. 2024. Mocha is a feature-rich JavaScript test framework running on Node.js and in the browser. https://mochajs.org/.
[42]
Philip Oliver, Jens Dietrich, Craig Anslow, and Michael Homer. 2024. CrashJS: A NodeJS Benchmark for Automated Crash Reproduction. In 2024 IEEE/ACM 21st International Conference on Mining Software Repositories (MSR). IEEE.
[43]
Harun Oz, Abbas Acar, Ahmet Aris, Güliz Seray Tuncay, Amin Kharraz, and Selcuk Uluagac. 2024. (In) Security of File Uploads in Node. js. In Proceedings of the Web Conference (WWW). Singapore.
[44]
Soyeon Park, Wen Xu, Insu Yun, Daehee Jang, and Taesoo Kim. 2023. Fuzzing javascript engines with aspect-preserving mutation. In Proceedings of the 44th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[45]
parse community. 2024. Parse Server for Node.js / Express. https://github.com/parse-community/parse-server.
[46]
Giancarlo Pellegrino, Constantin Tschürtz, Eric Bodden, and Christian Rossow. 2015. jäk: Using dynamic analysis to crawl and test modern web applications. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Kyoto, Japan.
[47]
Andrey Petukhov and Dmitry Kozlov. 2008. Detecting security vulnerabilities in web applications using dynamic analysis with penetration testing. Computing Systems Lab, Department of Computer Science, Moscow State University (2008).
[48]
Joe Gibbs Politz, Spiridon Aristides Eliopoulos, Arjun Guha, and Shriram Krishnamurthi. 2011. ADsafety: Type-Based Verification of JavaScript Sandboxing. In Proceedings of the 20th USENIX Security Symposium (Security). San Francisco, CA, USA.
[49]
portswigger. 2024. Burp Suite - Application Security Testing Software. https://portswigger.net/burp.
[50]
portswigger. 2024. Small to mid-size business cybersecurity solutions. https://portswigger.net/organizations/small-business-security.
[51]
primereact. 2023. The Most Complete React UI Component Library. https://github.com/primefaces/primereact.
[52]
Jeremy Rack and Cristian-Alexandru Staicu. 2023. Jack-in-the-box: An Empirical Study of JavaScript Bundling on the Web and its Security Implications. In Proceedings of the 30th ACM Conference on Computer and Communications Security (CCS). Copenhagen, Denmark.
[53]
Ville Santala. 2022. Automated Testing in a CI/CD pipeline: node. js and react software project. (2022).
[54]
José Fragoso Santos, Petar Maksimovi?, Théotime Grohens, Julian Dolby, and Philippa Gardner. 2018. Symbolic execution for JavaScript. In Proceedings of the 20th International Symposium on Principles and Practice of Declarative Programming.
[55]
Sina Shamshiri, José Miguel Rojas, Juan Pablo Galeotti, Neil Walkinshaw, and Gordon Fraser. 2018. How do automatically generated unit tests influence software maintenance?. In 2018 IEEE 11th international conference on software testing, verification and validation (ICST). IEEE.
[56]
Mikhail Shcherbakov, Musard Balliu, and Cristian-Alexandru Staicu. 2023. Silent spring: Prototype pollution leads to remote code execution in Node. js. In Proceedings of the 32nd USENIX Security Symposium (Security). Anaheim, CA, USA.
[57]
Mikhail Shcherbakov, Paul Moosbrugger, and Musard Balliu. 2024. Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis. In Proceedings of the Web Conference (WWW). Singapore.
[58]
snyk.io. 2024. CVE-2023--26158. https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365.
[59]
Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the Web: a study of ReDoS vulnerabilities in JavaScript-based web servers. In Proceedings of the 27th USENIX Security Symposium (Security). Baltimore, MD, USA.
[60]
Cristian-Alexandru Staicu, Michael Pradel, and Ben Livshits. 2018. Understanding and automatically preventing injection attacks on Node. js. In Proceedings of the 2018 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA.
[61]
statista.com. 2023. Most used web frameworks among developers worldwide, as of 2023. https://www.statista.com/statistics/1124699/worldwide-developer-survey-most-used-frameworks-web/.
[62]
swagger. 2024. OpenAPI Specification. https://swagger.io/specification/.
[63]
Xin Tan, Yuan Zhang, Jiadong Lu, Xin Xiong, Zhuang Liu, and Min Yang. 2023. SyzDirect: Directed greybox fuzzing for linux kernel. In Proceedings of the 30th ACM Conference on Computer and Communications Security (CCS). Copenhagen, Denmark.
[64]
Erik Trickel, Fabio Pagani, Chang Zhu, Lukas Dresel, Giovanni Vigna, Christopher Kruegel, Ruoyu Wang, Tiffany Bao, Yan Shoshitaishvili, and Adam Doupé. 2023. Toss a fault to your witcher: Applying grey-box coverage-guided mutational fuzzing to detect sql and command injection vulnerabilities. In Proceedings of the 44th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[65]
Nikos Vasilakis, Cristian-Alexandru Staicu, Grigoris Ntousakis, Konstantinos Kallas, Ben Karel, André DeHon, and Michael Pradel. 2021. Preventing dynamic library compromise on node. js via rwx-based privilege reduction. In Proceedings of the 28th ACM Conference on Computer and Communications Security (CCS). Virtual Event, Korea.
[66]
W3Techs. 2023. Node.js Statistics: The Updated Guide on Node.js Usage and Trends. https://www.bacancytechnology.com/blog/nodejs-statistics.
[67]
W3Techs. 2024. Snyk security. https://snyk.io/.
[68]
Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. 2019. Superion: Grammar-aware greybox fuzzing. In Proceedings of the 41st International Conference on Software Engineering (ICSE). Montréal, Canada.
[69]
Wenya Wang, Xingwei Lin, Jingyi Wang, Wang Gao, Dawu Gu, Wei Lv, and Jiashui Wang. 2023. Hodor: Shrinking attack surface on node. js via system call limitation. In Proceedings of the 30th ACM Conference on Computer and Communications Security (CCS). Copenhagen, Denmark.
[70]
Xinyi Wang, Cen Zhang, Yeting Li, Zhiwu Xu, Shuailin Huang, Yi Liu, Yican Yao, Yang Xiao, Yanyan Zou, Yang Liu, et al. 2023. Effective ReDoS Detection by Principled Vulnerability Modeling and Exploit Generation. In Proceedings of the 44th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA, USA.
[71]
Feng Xiao, Jianwei Huang, Yichang Xiong, Guangliang Yang, Hong Hu, Guofei Gu, and Wenke Lee. 2021. Abusing hidden properties to attack the node.js ecosystem. In Proceedings of the 30th USENIX Security Symposium (Security). Virtual Event.
[72]
Feng Xiao, Zheng Yang, Joey Allen, Guangliang Yang, Grant Williams, and Wenke Lee. 2022. Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem. In Proceedings of the 29th ACM Conference on Computer and Communications Security (CCS). Los Angeles, CA, USA.
[73]
Renjun Ye, Liang Liu, Simin Hu, Fangzhou Zhu, Jingxiu Yang, and Feng Wang. 2021. JSLIM: Reducing the known vulnerabilities of JavaScript application by debloating. In International Symposium on Emerging Information Security and Applications. Springer.
[74]
Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In Proceedings of the 28th USENIX Security Symposium (Security). Santa Clara, CA, USA.
Index Terms
- Test Suites Guided Vulnerability Validation for Node.js Applications
Recommendations
Compressing Automatically Generated Unit Test Suites Through Test Parameterization
Fundamentals of Software EngineeringAbstractTest maintenance has recently gained increasing attention from the software testing research community. When using automated unit test generation tools, the tests are typically created by random test generation or search-based algorithms. Although ...
Mutode: generic JavaScript and Node.js mutation testing tool
ISSTA 2018: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and AnalysisMutation testing is a technique in which faults (mutants) are injected into a program or application to assess its test suite effectiveness. It works by inserting mutants and running the application’s test suite to identify if the mutants are detected (...
Prioritizing random combinatorial test suites
SAC '17: Proceedings of the Symposium on Applied ComputingThe behaviour of a system under test can be influenced by several factors, such as system configurations, user inputs, and so on. It has also been observed that many failures are caused by only a small number of factors. Combinatorial testing aims at ...
Comments
Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- The Research Grants Council of the Hong Kong SAR, China
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 52Total Downloads
- Downloads (Last 12 months)52
- Downloads (Last 6 weeks)52
Reflects downloads up to 25 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in