Making web applications safer
New software automatically finds 180 zero-day vulnerabilities in popular Node.js packages, including 70 Common Vulnerabilities and Exposures (CVEs).
A team from the Johns Hopkins Information Security Institute has developed software that locates and identifies security vulnerabilities in popular web applications —a tool that the researchers hope will empower developers to make their applications more impervious to cyberattacks.
“Identifying vulnerabilities in web applications is the first step in protecting them against potential threats. Developers can use these findings to fix vulnerabilities and make the internet a safer place for users, especially in this time when increasing numbers of people are using the internet for work and socializing,” said Yinzhi Cao, team leader and an assistant professor of computer science at the Johns Hopkins Whiting School of Engineering.
Hackers exploit these vulnerabilities to access and steal user data, or manipulate the application to perform an unwanted action. So software developers need to be able to hunt down vulnerabilities before the hackers find them, he says.
Cao’s team is partnering with the developer security startup Snyk to validate and disclose the vulnerabilities discovered by their software to the Common Vulnerabilities and Exposures (CVE). Sponsored by the Department of Homeland Security, the CVE is a publicly disclosed catalogue of vulnerabilities, and is designed to help organizations improve cybersecurity. So far, the researchers have discovered 70 vulnerabilities that have been assigned with CVE identifiers.
The researchers will present their work, titled “Mining Node.js Vulnerabilities via Object Dependence Graph and Query,” at the 2022 USENIX Security Symposium in August. The paper is currently available as a preprint online.
The research is partially supported by DARPA under its Computers and Humans Exploring Software Security (CHESS) program, under the guidance of program managers Dustin Fraze and William Bradley Martin, and with support from Andrew Carney.