Affogato: Runtime Detection of Injection Attacks for Node.js
Node.js took JavaScript from the browser to server-side web applications, and injection vulnerabilities are now commonly reported in Node.js modules. However, existing taint analysis approaches for JavaScript are brittle, require extensive manual modelling, and fail to analyse simple Node.js applications. For this reason, we developed AFFOGATO, a robust and practical grey-box taint analysis tool that uses black-box reasoning to overcome the need for manual modellingwhile using white-box program analysis to reason about critical program operations. We evaluate AFFOGATO on a suite of Node.js modules and show how it can detect all publicly disclosed injection vulnerabilities with an acceptable overhead, outperforming the existing state-of-the-art tool for Node.js.
slides (Affogato.pdf) | 910KiB |
Fri 20 JulDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
14:00 - 15:30 | |||
14:00 50mTalk | DeepBugs: A Learning Approach to Name-based Bug Detection SOAP Michael Pradel TU Darmstadt Pre-print File Attached | ||
15:00 15mTalk | Affogato: Runtime Detection of Injection Attacks for Node.js SOAP François Gauthier Oracle Labs, Behnaz Hassanshahi Oracle Labs, Australia, Alexander Jordan Oracle Labs, Australia Link to publication DOI File Attached | ||
15:15 15mTalk | Towards a Framework for Detecting Energy Drain in Mobile Applications - An Architecture Overview SOAP Andreas Schuler University of Applied Sciences Upper Austria, Gabriele Anderst-Kotsis Johannes Kepler University, Linz, Austria File Attached |