Feng Xiao, Jianwei Huang, Yichang Xiong, Guangliang Yang, Hong Hu, Guofei Gu, Wenke Lee
The team discovered hidden property abusing (HPA), a new security risk in the Node.js ecosystem. HPA leverages the widely used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks. Second, it develops a hybrid program analysis tool to automatically reveal HPA vulnerabilities and even synthesize exploits. JavaScript program analysis is known to be a hard task due to its dynamic nature. The tool explored how static and dynamic analysis can be combined to facilitate JavaScript security analysis. This research lead to the discovery of 13 0-days from widely-used Node.js programs (e.g., MongoDB driver), and 12 CVEs were assigned for the findings. The open-sourced Lynx tool can now be used to analyze Node.js programs for HPA vulnerabilities.