On Measuring Vulnerable JavaScript Functions in the Wild

Abstract

JavaScript is often rated as the most popular programming language for the development of both client-side and server-side applications, and is currently used in almost all websites. Because of its popularity, JavaScript has become a frequent target for attackers, who exploit vulnerabilities in the source code to take control over the application. To address these JavaScript security issues, such vulnerabilities must be identified first. Existing work mostly deals with package-level vulnerability tracking and measurements. However this approach is limited to detecting usage of already known vulnerabilities. In this paper we develop a vulnerability detection framework that uses vulnerable pattern recognition and textual similarity methods to detect vulnerable functions in real-world projects. We build our framework with the help of a comprehensive dataset of 1,360 verified vulnerable JavaScript functions that we compose based on Snyk vulnerability database and the VulnCode-DB project. Using our framework, we identify 11,148 vulnerable functions in three environments: NPM packages, Chrome web extensions and popular websites. In addition,we conduct an in-depth contextual analysis of the findings in several popular/critical projects and confirm the security exposure of 15 cases. As evident from the results, our approach can shift JavaScript vulnerability detection from the coarse package/library level to function level, and thus improve accuracy of detection and aid timely patching.