Nuno Sabino

JavaScript applications face serious security risks, including client-side DOM-based Cross-Site Scripting (DOM-XSS) and server-side arbitrary command injection (ACI) and arbitrary code execution (ACE). Exploiting these vulnerabilities can lead to severe consequences, including unauthorized access to sensitive data and even full server compromise.

Dynamic taint analysis (DTA) tools have been used to identify how attacker-controlled input, such as a URL, may reach sensitive functions that lead to arbitrary code execution. Such propagations of attacker information, termed potential flows, can be good indicators of vulnerabilities. However, existing approaches struggle to (1) generate concrete inputs that exercise these flows due to limited path exploration, and (2) automatically confirm vulnerabilities, because inputs must satisfy program constraints while also triggering the intended side effects. This thesis leverages program analysis techniques to address these challenges, with tailored approaches for the distinct requirements of server and client code.

Client-side analysis is complicated by program behaviors dependent on user interactions and URL GET parameters. To overcome this, we developed a fuzzer to interact with the target web page and we employ dynamic symbolic execution (DSE) to synthesize GET parameters satisfying program constraints. Relative to our replication of prior work DOMsday, the fuzzer alone identifies 15% more vulnerabilities in a dataset of 44,480 popular pages, and the combination of fuzzing and DSE identifies 43% more vulnerabilities than DOMsday.

On the server-side, DTA-based tools miss ACI and ACE that require inputs with complex structure. We develop a novel type- and structure-aware fuzzing technique to explore Node.js packages, and an enumerator to synthesize syntactically valid payloads for ACE vulnerabilities. Extending NodeMedic with these components led to finding 1.7x more vulnerabilities.

Finally, we find that non-exploitable potential flows can still indicate real vulnerabilities, but exploitation may imply extra steps, such as bypassing sanitization or extending attacker capabilities. We introduce an exploitability metric designed to indicate proximity to an exploitable path, and use it to guide fuzzing and confirmation towards paths that are more likely automatically exploitable. Integrating this in NodeMedic-FINE results in 1% more confirmed flows, while saving 28% of the baseline confirmation time.