A team from the Johns Hopkins Information Security Institute has developed software that locates and identifies security vulnerabilities in popular web applications —a tool that the researchers hope will empower developers to make their applications more impervious to cyberattacks.
“Identifying vulnerabilities in web applications is the first step in protecting them against potential threats. Developers can use these findings to fix vulnerabilities and make the internet a safer place for users, especially in this time when increasing numbers of people are using the internet for work and socializing,” said Yinzhi Cao, team leader and an assistant professor of computer science at the Johns Hopkins Whiting School of Engineering.
Popular applications such as Netflix, Uber, and PayPal are built with Node.js, a framework that can run JavaScript applications on both the server and web browser sides. According to Cao, Node.js is ideal for building fast and scalable web applications, but it’s also prone to vulnerabilities or mistakes in the source code.
Hackers exploit these vulnerabilities to access and steal user data, or manipulate the application to perform an unwanted action. So software developers need to be able to hunt down vulnerabilities before the hackers find them, he says.
To this end, Cao and graduate students Song Li, Minqing Kang, and Jianwei Hou used a novel technique called Object Dependence Graph (ODG) to model dynamic features of JavaScript programming in a graph structure. Then they implemented graph queries that mine for so-called “zero-day vulnerabilities:” those that are unknown to the developers.
The team’s open-source software caught 180 zero-day JavaScript vulnerabilities in highly popular Node.js packages and applications, such as undefsafe, which has more than five million weekly downloads.
Cao’s team is partnering with the developer security startup Snyk to validate and disclose the vulnerabilities discovered by their software to the Common Vulnerabilities and Exposures (CVE). Sponsored by the Department of Homeland Security, the CVE is a publicly disclosed catalogue of vulnerabilities, and is designed to help organizations improve cybersecurity. So far, the researchers have discovered 70 vulnerabilities that have been assigned with CVE identifiers.
The researchers will present their work, titled “Mining Node.js Vulnerabilities via Object Dependence Graph and Query” at the 2022 USENIX Security Symposium in August. The paper is currently available as a preprint online.
The research is partially supported by DARPA under its Computers and Humans Exploring Software Security (CHESS) program, under the guidance of program managers Dustin Fraze and William Bradley Martin, and with support from Andrew Carney.