{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,16]],"date-time":"2025-10-16T10:09:01Z","timestamp":1760609341968,"version":"3.37.3"},"reference-count":43,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2021,2,13]],"date-time":"2021-02-13T00:00:00Z","timestamp":1613174400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,2,13]],"date-time":"2021-02-13T00:00:00Z","timestamp":1613174400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"funder":[{"name":"Korea Information Technology Research Institute"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2022,2]]},"DOI":"10.1007\/s10207-020-00537-0","type":"journal-article","created":{"date-parts":[[2021,2,14]],"date-time":"2021-02-14T09:25:44Z","timestamp":1613294744000},"page":"1-23","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":27,"title":["DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules"],"prefix":"10.1007","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9669-5705","authenticated-orcid":false,"given":"Hee Yeon","family":"Kim","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4427-3997","authenticated-orcid":false,"given":"Ji Hoon","family":"Kim","sequence":"additional","affiliation":[]},{"given":"Ho Kyun","family":"Oh","sequence":"additional","affiliation":[]},{"given":"Beom Jin","family":"Lee","sequence":"additional","affiliation":[]},{"given":"Si Woo","family":"Mun","sequence":"additional","affiliation":[]},{"given":"Jeong Hoon","family":"Shin","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5675-4253","authenticated-orcid":false,"given":"Kyounggon","family":"Kim","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,2,13]]},"reference":[{"key":"537_CR1","unstructured":"Acorn.: acorn (2019). https:\/\/www.npmjs.com\/package\/acorn. Online; Accessed 10 Dec 2019"},{"key":"537_CR2","unstructured":"Arteau, O.: Holyvier\/prototype-pollution-nsec18 (2018). https:\/\/github.com\/HoLyVieR\/prototype-pollution-nsec18. Online; Accessed 10 Aug 2020"},{"key":"537_CR3","unstructured":"Babel-eslint.: babel-eslint (2019). https:\/\/www.npmjs.com\/package\/babel-eslint. Online; Accessed 10 Dec 2019"},{"key":"537_CR4","unstructured":"Christensen, H.K., Brodal, G.S.: Algorithms for finding dominators in directed graphs. PhD thesis, Aarhus Universitet, Datalogisk Institut (2016)"},{"key":"537_CR5","doi-asserted-by":"crossref","unstructured":"Davis, J., Thekumparampil, A., Lee, D.: Node. fz: fuzzing the server-side event-driven architecture. In: Proceedings of the Twelfth European Conference on Computer Systems, pp. 145\u2013160. ACM (2017)","DOI":"10.1145\/3064176.3064188"},{"key":"537_CR6","doi-asserted-by":"crossref","unstructured":"De\u00a0Groef, W., Massacci, F., Piessens, F.: Nodesentry: least-privilege library integration for server-side Javascript. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 446\u2013455. ACM (2014)","DOI":"10.1145\/2664243.2664276"},{"key":"537_CR7","doi-asserted-by":"crossref","unstructured":"Dura\u010d\u00edk, M., Kr\u0161\u00e1k, E., Hrk\u00fat, P.: Current trends in source code analysis, plagiarism detection and issues of analysis big datasets. Procedia Eng. 192, 136\u2013141 (2017)","DOI":"10.1016\/j.proeng.2017.06.024"},{"key":"537_CR8","unstructured":"Esgraph.: esgraph (2019). https:\/\/www.npmjs.com\/package\/esgraph. Online; Accessed 10 Dec 2019"},{"key":"537_CR9","unstructured":"Gauthier, F., Hassanshahi, B., Jordan, A.: A ffogato: runtime detection of injection attacks for node.js. In: Companion Proceedings for the ISSTA\/ECOOP 2018 Workshops, pp. 94\u201399. ACM (2018)"},{"issue":"1","key":"537_CR10","doi-asserted-by":"publisher","first-page":"69","DOI":"10.7155\/jgaa.00119","volume":"10","author":"L Georgiadis","year":"2006","unstructured":"Georgiadis, L., Tarjan, R.E., Werneck, R.F.: Finding dominators in practice. J. Graph Algorithms Appl. 10(1), 69\u201394 (2006)","journal-title":"J. Graph Algorithms Appl."},{"issue":"4","key":"537_CR11","first-page":"56","volume":"50","author":"SM Ghaffarian","year":"2017","unstructured":"Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv.: CSUR 50(4), 56 (2017)","journal-title":"ACM Comput. Surv.: CSUR"},{"key":"537_CR12","doi-asserted-by":"crossref","unstructured":"Gong, L., Pradel, M., Sridharan, M., Sen, K.: Dlint: dynamically checking bad coding practices in javascript. In: Proceedings of the 2015 International Symposium on Software Testing and Analysis, pp. 94\u2013105. ACM (2015)","DOI":"10.1145\/2771783.2771809"},{"key":"537_CR13","doi-asserted-by":"crossref","unstructured":"Grieco, G., Grinblat, G.L., Uzal, L., Rawat, S., Feist, J., Mounier, L.: Toward large-scale vulnerability discovery using machine learning. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 85\u201396. ACM (2016)","DOI":"10.1145\/2857705.2857720"},{"key":"537_CR14","doi-asserted-by":"crossref","unstructured":"Gupta, R.: Generalized dominators and post-dominators. In: Proceedings of the 19th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 246\u2013257. ACM (1992)","DOI":"10.1145\/143165.143216"},{"key":"537_CR15","unstructured":"Hidayat, A. esprima (2018). https:\/\/www.npmjs.com\/package\/esprima, https:\/\/esprima.org\/. Online; Accessed 10 Dec 2019"},{"key":"537_CR16","doi-asserted-by":"crossref","unstructured":"Holland, B., Santhanam, G.R., Awadhutkar, P., Kothari, S.: Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities. In: 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 79\u201384. IEEE (2016)","DOI":"10.1109\/SCAM.2016.23"},{"key":"537_CR17","doi-asserted-by":"crossref","unstructured":"Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy (S&P\u201906), pp. 6\u2013pp. IEEE (2006)","DOI":"10.1109\/SP.2006.29"},{"issue":"1","key":"537_CR18","doi-asserted-by":"publisher","first-page":"121","DOI":"10.1145\/357062.357071","volume":"1","author":"T Lengauer","year":"1979","unstructured":"Lengauer, T., Tarjan, R.E.: A fast algorithm for finding dominators in a flowgraph. ACM Trans. Program. Lang. Syst.: TOPLAS 1(1), 121\u2013141 (1979)","journal-title":"ACM Trans. Program. Lang. Syst.: TOPLAS"},{"key":"537_CR19","doi-asserted-by":"crossref","unstructured":"Madsen, M., Tip, F., Lhot\u00e1k, O.: Static analysis of event-driven node.js Javascript applications. In: ACM SIGPLAN Notices, vol.\u00a050, pp. 505\u2013519. ACM (2015)","DOI":"10.1145\/2858965.2814272"},{"key":"537_CR20","unstructured":"Murthy, P.K.: Constructing a control flow graph for a software program, February 3 (2015). US Patent 8,949,811"},{"key":"537_CR21","unstructured":"nodejs.: nodejs (2019). https:\/\/nodejs.org\/en\/about\/. Online; Accessed 10 Dec 2019"},{"key":"537_CR22","unstructured":"Ojamaa, A., D\u00fc\u00fcna, K.: Assessing the security of node.js platform. In: 2012 International Conference for Internet Technology and Secured Transactions, pp. 348\u2013355. IEEE (2012)"},{"key":"537_CR23","unstructured":"OWASP: Owasp dependency check (2019). https:\/\/www.owasp.org\/index.php\/OWASP_Dependency_Check. Online; Accessed 10 Dec 2019"},{"key":"537_CR24","unstructured":"Patel, P.R.: Existence of Dependency-Based Attacks in NodeJS Environment. In: Creative Components. 91 (2018). https:\/\/lib.dr.iastate.edu\/creativecomponents\/91. Accessed 10 Dec 2019"},{"key":"537_CR25","unstructured":"Patnaik, N., Sahoo, S.: Javascript static security analysis made easy with jsprime. Blackhat USA (2013)"},{"key":"537_CR26","doi-asserted-by":"crossref","unstructured":"Pfretzschner, B., ben Othmane, L.: Identification of dependency-based attacks on node.js. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, p. 68. ACM (2017)","DOI":"10.1145\/3098954.3120928"},{"key":"537_CR27","doi-asserted-by":"crossref","unstructured":"Quinlan, D.J., Vuduc, R.W., Misherghi, G.: Techniques for specifying bug patterns. In: Proceedings of the 2007 ACM Workshop on Parallel and Distributed Systems: Testing and Debugging, pp. 27\u201335. ACM (2007)","DOI":"10.1145\/1273647.1273654"},{"key":"537_CR28","unstructured":"Retire.js.: Retire.js (2019). https:\/\/retirejs.github.io\/retire.js\/. Online; Accessed 10 Dec 2019"},{"issue":"10","key":"537_CR29","doi-asserted-by":"publisher","first-page":"993","DOI":"10.1109\/TSE.2014.2340398","volume":"40","author":"R Scandariato","year":"2014","unstructured":"Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W.: Predicting vulnerable software components via text mining. IEEE Trans. Softw. Eng. 40(10), 993\u20131006 (2014)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"537_CR30","doi-asserted-by":"crossref","unstructured":"Sen, K., Kalasapur, S., Brutch, T., Gibbs, S.: Jalangi: a selective record-replay and dynamic analysis framework for Javascript. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 488\u2013498. ACM (2013)","DOI":"10.1145\/2491411.2491447"},{"issue":"1","key":"537_CR31","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1016\/0898-1221(81)90008-0","volume":"7","author":"M Sharir","year":"1981","unstructured":"Sharir, M.: A strong-connectivity algorithm and its applications in data flow analysis. Comput. Math. Appl. 7(1), 67\u201372 (1981)","journal-title":"Comput. Math. Appl."},{"key":"537_CR32","unstructured":"Snyk: Prototype pollution (2019a). https:\/\/snyk.io\/vuln\/SNYK-JS-JQUERY-174006. Online; Accessed 10 Dec 2019"},{"key":"537_CR33","unstructured":"Snyk: Snyk (2019b). https:\/\/github.com\/snyk\/snyk. Online; Accessed 10 Dec 2019"},{"key":"537_CR34","unstructured":"SourceClear: Sourceclear (2019). https:\/\/www.sourceclear.com\/. Online; Accessed 10 Dec 2019"},{"key":"537_CR35","unstructured":"Staicu, C.-A., Pradel, M., Livshits, B.: Understanding and automatically preventing injection attacks on node.js. Technical report, Technical Report TUD-CS-2016-14663, TU Darmstadt, Department of Computer Science (2016)"},{"key":"537_CR36","doi-asserted-by":"crossref","unstructured":"Sun, H., Bonetta, D., Humer, C., Binder, W.: Efficient dynamic analysis for node.js. In: Proceedings of the 27th International Conference on Compiler Construction, pp. 196\u2013206. ACM (2018)","DOI":"10.1145\/3178372.3179527"},{"key":"537_CR37","doi-asserted-by":"crossref","unstructured":"Tao, G., Guowei, D., Hu, Q., Baojiang, C.: Improved plagiarism detection algorithm based on abstract syntax tree. In: 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies, pp. 714\u2013719. IEEE (2013)","DOI":"10.1109\/EIDWT.2013.129"},{"key":"537_CR38","unstructured":"Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX Security Symposium, vol. 15, pp. 179\u2013192 (2006)"},{"key":"537_CR39","unstructured":"Yamaguchi, F., Lindner, F., Rieck, K.: Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning. In: Proceedings of the 5th USENIX Conference on Offensive Technologies, pp. 13. USENIX Association (2011)"},{"key":"537_CR40","doi-asserted-by":"crossref","unstructured":"Yamaguchi, F., Lottmann, M., Rieck, K.: Generalized vulnerability extrapolation using abstract syntax trees. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 359\u2013368. ACM (2012)","DOI":"10.1145\/2420950.2421003"},{"key":"537_CR41","doi-asserted-by":"crossref","unstructured":"Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp. 590\u2013604. IEEE (2014)","DOI":"10.1109\/SP.2014.44"},{"key":"537_CR42","doi-asserted-by":"crossref","unstructured":"Zhao, J., Xia, K., Fu, Y., Cui, B.: An ast-based code plagiarism detection algorithm. In: 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA), pp. 178\u2013182. IEEE (2015)","DOI":"10.1109\/BWCCA.2015.52"},{"key":"537_CR43","unstructured":"Zheng, M., Pan, X., Lillis, D.: Codex: source code plagiarism detection based on abstract syntax tree. In: AICS, pp. 362\u2013373 (2018)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-020-00537-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-020-00537-0\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-020-00537-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,2,10]],"date-time":"2022-02-10T13:15:40Z","timestamp":1644498940000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-020-00537-0"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,2,13]]},"references-count":43,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,2]]}},"alternative-id":["537"],"URL":"https:\/\/doi.org\/10.1007\/s10207-020-00537-0","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2021,2,13]]},"assertion":[{"value":"13 February 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Compliance with ethical standards"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"This article does not contain any studies with human participants or animals performed by any of the authors.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}},{"value":"This article does not contain any studies with human participants.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Informed consent"}}]}}