{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T05:52:18Z","timestamp":1768974738812,"version":"3.49.0"},"reference-count":131,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2024,2,5]],"date-time":"2024-02-05T00:00:00Z","timestamp":1707091200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2024,2,29]]},"abstract":"<jats:p>JavaScript is often rated as the most popular programming language for the development of both client-side and server-side applications. Because of its popularity, JavaScript has become a frequent target for attackers who exploit vulnerabilities in the source code to take control over the application. To address these JavaScript security issues, such vulnerabilities must be identified first. Existing studies in vulnerable code detection in JavaScript mostly consider package-level vulnerability tracking and measurements. However, such package-level analysis is largely imprecise, as real-world services that include a vulnerable package may not use the vulnerable functions in the package. Moreover, even the inclusion of a vulnerable function may not lead to a security problem if the function cannot be triggered with exploitable inputs. In this article, we develop a vulnerability detection framework that uses vulnerable pattern recognition and textual similarity methods to detect vulnerable functions in real-world JavaScript projects, combined with a static multi-file taint analysis mechanism to further assess the impact of the vulnerabilities on the whole project (i.e., whether the vulnerability can be exploited in a given project). We compose a comprehensive dataset of 1,360 verified vulnerable JavaScript functions using the Snyk vulnerability database and the VulnCode-DB project. From this ground-truth dataset, we build our vulnerable patterns for two common vulnerability types: prototype pollution and Regular Expression Denial of Service (ReDoS). With our framework, we analyze 9,205,654 functions (from 3,000 NPM packages, 1,892 websites and 557 Chrome Web extensions), and detect 117,601 prototype pollution and 7,333 ReDoS vulnerabilities. By further processing all 5,839 findings from NPM packages with our taint analyzer, we verify the exploitability of 290 zero-day cases across 134 NPM packages. In addition, we conduct an in-depth contextual analysis of the findings in 17 popular\/critical projects and study the practical security exposure of 20 functions. With our semi-automated vulnerability reporting functionality, we disclosed all verified findings to project owners. We also obtained 25 published CVEs for our findings, 19 of them rated as \u201cCritical\u201d severity and six rated as \u201cHigh\u201d severity. Additionally, we obtained 169 CVEs that are currently \u201cReserved\u201d (as of Apr. 2023). As evident from the results, our approach can shift JavaScript vulnerability detection from the coarse package\/library level to the function level and thus improve the accuracy of detection and aid timely patching.<\/jats:p>","DOI":"10.1145\/3630253","type":"journal-article","created":{"date-parts":[[2023,10,26]],"date-time":"2023-10-26T21:44:03Z","timestamp":1698356643000},"page":"1-37","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["On Detecting and Measuring Exploitable JavaScript Functions in Real-world Applications"],"prefix":"10.1145","volume":"27","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-8042-8462","authenticated-orcid":false,"given":"Maryna","family":"Kluban","sequence":"first","affiliation":[{"name":"Concordia University, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9630-5858","authenticated-orcid":false,"given":"Mohammad","family":"Mannan","sequence":"additional","affiliation":[{"name":"Concordia University, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4284-8646","authenticated-orcid":false,"given":"Amr","family":"Youssef","sequence":"additional","affiliation":[{"name":"Concordia University, Canada"}]}],"member":"320","published-online":{"date-parts":[[2024,2,5]]},"reference":[{"key":"e_1_3_3_2_2","unstructured":"1e0ng. 2020. SimHash. Retrieved from https:\/\/github.com\/1e0ng\/SimHash"},{"key":"e_1_3_3_3_2","unstructured":"AcornJS. 2012. Acorn: A Tiny Fast JavaScript Parser. Retrieved from https:\/\/github.com\/acornjs\/acorn"},{"key":"e_1_3_3_4_2","first-page":"254","volume-title":"MSR\u201921","author":"Alfadel Mahmoud","year":"2021","unstructured":"Mahmoud Alfadel, Diego Elias Costa, Emad Shihab, and Mouafak Mkhallalati. 2021. On the use of dependabot security pull requests. In MSR\u201921. 254\u2013265."},{"key":"e_1_3_3_5_2","unstructured":"Andrew Smith. 2021. Content Spoofing. Retrieved from https:\/\/owasp.org\/www-community\/attacks\/Content_Spoofing"},{"key":"e_1_3_3_6_2","unstructured":"Jeremy Ashkenas. 2009. Underscore.js. Retrieved from https:\/\/github.com\/jashkenas\/underscore"},{"key":"e_1_3_3_7_2","unstructured":"Babel. 2020. Babel progress on ECMAScript proposals. Retrieved from https:\/\/github.com\/babel\/proposals"},{"key":"e_1_3_3_8_2","unstructured":"Balderdash Design Co.2012. Sails.js: The MVC Framework for Node.js. Retrieved from https:\/\/sailsjs.com\/"},{"key":"e_1_3_3_9_2","first-page":"368","volume-title":"ICSM\u201998","author":"Baxter Ira","year":"1998","unstructured":"Ira Baxter, Andrew Yahin, Leonardo de Moura, Marcelo Sant\u2019Anna, and Lorraine Bier. 1998. Clone detection using abstract syntax trees. In ICSM\u201998. 368\u2013377."},{"key":"e_1_3_3_10_2","unstructured":"Fabian Beuke. 2021. GitHub Language Statistics. Retrieved from https:\/\/madnight.github.io\/githut\/#\/pull_requests\/2021\/1"},{"key":"e_1_3_3_11_2","first-page":"53","volume-title":"IEEE EuroS&P\u201920","author":"Bowman Benjamin","year":"2020","unstructured":"Benjamin Bowman and H. Howie Huang. 2020. VGRAPH: A robust vulnerable code clone detection system using code property triplets. In IEEE EuroS&P\u201920. 53\u201369."},{"key":"e_1_3_3_12_2","unstructured":"BuiltWith.com. 2022. AngularJS Usage Statistics. Retrieved from https:\/\/trends.builtwith.com\/javascript\/Angular-JS"},{"key":"e_1_3_3_13_2","unstructured":"BuiltWith.com. 2022. SailsJS Usage Statistics. Retrieved from https:\/\/trends.builtwith.com\/framework\/SailsJS"},{"key":"e_1_3_3_14_2","unstructured":"Caolan McMahon. 2011. Async. Retrieved from https:\/\/caolan.github.io\/async\/v3\/"},{"key":"e_1_3_3_15_2","unstructured":"Caolan McMahon. 2014. Highland: The High-level Streams Library for Node.js and the Browser. Retrieved from https:\/\/caolan.github.io\/highland\/"},{"key":"e_1_3_3_16_2","volume-title":"NDSS Symposium","author":"Chen Daming D.","year":"2016","unstructured":"Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards automated dynamic analysis for linux-based embedded firmware. In NDSS Symposium."},{"key":"e_1_3_3_17_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-015-9368-6"},{"key":"e_1_3_3_18_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-021-09951-x"},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3421838"},{"key":"e_1_3_3_20_2","unstructured":"CodeQL. 2019. CodeQL: About Data Flow Analysis. Retrieved from https:\/\/codeql.github.com\/docs\/writing-codeql-queries\/about-data-flow-analysis\/"},{"key":"e_1_3_3_21_2","unstructured":"Dan Hubbard. 2016. Cisco Umbrella 1 Million. Retrieved from https:\/\/umbrella.cisco.com\/blog\/cisco-umbrella-1-million"},{"key":"e_1_3_3_22_2","unstructured":"Jamie Davis. 2018. Detect Vulnerable Regexes in your Project. Retrieved from https:\/\/github.com\/davisjam\/vuln-regex-detector"},{"key":"e_1_3_3_23_2","unstructured":"Jos de Jong. 2013. Ducktype. Retrieved from https:\/\/github.com\/josdejong\/ducktype"},{"key":"e_1_3_3_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_3_25_2","unstructured":"Cypress Data Defense. 2020. Differences Between Static Code Analysis and Dynamic Testing. Retrieved from https:\/\/www.cypressdatadefense.com\/blog\/static-and-dynamic-code-analysis\/"},{"key":"e_1_3_3_26_2","unstructured":"Ben Dickson. 2020. Prototype Pollution: The Dangerous and Underrated Vulnerability Impacting JavaScript Applications. Retrieved from https:\/\/portswigger.net\/daily-swig\/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications"},{"key":"e_1_3_3_27_2","first-page":"523","volume-title":"USENIX Security\u201912","author":"Doup\u00e9 Adam","year":"2012","unstructured":"Adam Doup\u00e9, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security\u201912. 523\u2013538."},{"key":"e_1_3_3_28_2","volume-title":"NDSS\u201921","author":"Duan Ruian","year":"2021","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards measuring supply chain attacks on package managers for interpreted languages. In NDSS\u201921."},{"key":"e_1_3_3_29_2","unstructured":"Escomplex. 2015. Escomplex: Software Complexity Analysis of JavaScript Abstract Syntax Trees. Retrieved from https:\/\/github.com\/escomplex\/escomplex"},{"key":"e_1_3_3_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397362"},{"key":"e_1_3_3_31_2","first-page":"8","volume-title":"RAISE@ICSE\u201919","author":"Ferenc Rudolf","year":"2019","unstructured":"Rudolf Ferenc, P\u00e9ter Heged\u00fcs, P\u00e9ter Gyimesi, G\u00e1bor Antal, D\u00e9nes B\u00e1n, and Tibor Gyim\u00f3thy. 2019. Challenging machine learning algorithms in predicting vulnerable JavaScript functions. In RAISE@ICSE\u201919. 8\u201314."},{"key":"e_1_3_3_32_2","unstructured":"OpenJS Foundation. 2014. Espree. Retrieved from https:\/\/www.npmjs.com\/package\/espree"},{"key":"e_1_3_3_33_2","unstructured":"GitHub. 2019. CodeQL Semantic Code Analysis Engine. Retrieved from https:\/\/codeql.github.com\/"},{"key":"e_1_3_3_34_2","unstructured":"Google. 2010. AngularJS. Retrieved from https:\/\/angularjs.org\/"},{"key":"e_1_3_3_35_2","unstructured":"Google. 2019. The Vulnerable Code Database (Vulncode-DB). Retrieved from https:\/\/www.vulncode-db.com"},{"key":"e_1_3_3_36_2","unstructured":"Gravatar.com. 2007. Gravatar. Retrieved from https:\/\/en.gravatar.com\/"},{"key":"e_1_3_3_37_2","unstructured":"James Halliday. 2013. Minimist. Retrieved from https:\/\/www.npmjs.com\/package\/minimist"},{"key":"e_1_3_3_38_2","unstructured":"hapi.js team. 2014. @hapi\/subtext. Retrieved from https:\/\/github.com\/hapijs\/subtext"},{"key":"e_1_3_3_39_2","unstructured":"Jordan Harband. 2014. QS a Query String Parsing and Stringifying Library. Retrieved from https:\/\/github.com\/ljharb\/qs"},{"key":"e_1_3_3_40_2","first-page":"2229","volume-title":"ACM CCS\u201921","author":"He Xiaoyu","year":"2021","unstructured":"Xiaoyu He, Xiaofei Xie, Yuekang Li, Jianwen Sun, Feng Li, Wei Zou, Yang Liu, Lei Yu, Jianhua Zhou, Wenchang Shi, and Wei Huo. 2021. SoFi: Reflection-augmented fuzzing for JavaScript engines. In ACM CCS\u201921. 2229\u20132242."},{"key":"e_1_3_3_41_2","unstructured":"Ariya Hidayat. 2012. ECMAScript Parsing Infrastructure for Multipurpose Analysis. Retrieved from https:\/\/esprima.org\/"},{"key":"e_1_3_3_42_2","first-page":"135","volume-title":"TASE\u201912","author":"Hu Chaojian","year":"2012","unstructured":"Chaojian Hu, Zhoujun Li, Jinxin Ma, Tao Guo, and Zhiwei Shi. 2012. File parsing vulnerability detection with symbolic execution. In TASE\u201912. 135\u2013142."},{"key":"e_1_3_3_43_2","volume-title":"NDSS\u201919","author":"HyungSeok Han","year":"2019","unstructured":"Han HyungSeok, Oh DongHyeon, and Kil Cha Sang. 2019. CodeAlchemist: Semantics-aware code generation to find vulnerabilities in JavaScript engines. In NDSS\u201919."},{"key":"e_1_3_3_44_2","article-title":"The T. J. Watson Libraries for Analysis (WALA)","year":"2015","unstructured":"IBM. 2015. The T. J. Watson Libraries for Analysis (WALA). http:\/\/wala.sourceforge.net","journal-title":"http:\/\/wala.sourceforge.net"},{"key":"e_1_3_3_45_2","unstructured":"GitHub Inc.2017. GitHub Advisory Database. Retrieved from https:\/\/github.com\/advisories"},{"key":"e_1_3_3_46_2","unstructured":"Schema inspector team. 2014. Schema-inspector. Retrieved from https:\/\/github.com\/schema-inspector\/schema-inspector"},{"key":"e_1_3_3_47_2","unstructured":"James Halliday. 2013. saferegex. Retrieved from https:\/\/github.com\/substack\/safe-regex"},{"issue":"6","key":"e_1_3_3_48_2","first-page":"48","article-title":"ReDeBug: Finding unpatched code clones in entire OS distributions","volume":"37","author":"Jang Jiyong","year":"2012","unstructured":"Jiyong Jang, Maverick Woo, and David Brumley. 2012. ReDeBug: Finding unpatched code clones in entire OS distributions. IEEE Sympos. Secur. Priv. 37, 6 (May2012), 48\u201362.","journal-title":"IEEE Sympos. Secur. Priv."},{"key":"e_1_3_3_49_2","unstructured":"Christopher Jeffrey. 2011. Marked. Retrieved from https:\/\/github.com\/markedjs\/marked"},{"key":"e_1_3_3_50_2","first-page":"96","volume-title":"ICSE\u201907","author":"Jiang Lingxiao","year":"2007","unstructured":"Lingxiao Jiang, Ghassan Misherghi, Zhendong Su, and St\u00e9phane Glondu. 2007. DECKARD: Scalable and accurate tree-based detection of code clones. In ICSE\u201907. 96\u2013105."},{"key":"e_1_3_3_51_2","first-page":"56","volume-title":"IEEE SCAM\u201918","author":"Jimenez Matthieu","year":"2018","unstructured":"Matthieu Jimenez, Yves Le Traon, and Mike Papadakis. 2018. Enabling the continuous analysis of security vulnerabilities with VulData7. In IEEE SCAM\u201918. 56\u201361."},{"key":"e_1_3_3_52_2","unstructured":"Joern. 2019. Joern - The Bug Hunter\u2019s Workbench. Retrieved from joern.io"},{"key":"e_1_3_3_53_2","unstructured":"Joernio. 2021. AST Generator. Retrieved from https:\/\/github.com\/joernio\/astgen"},{"key":"e_1_3_3_54_2","unstructured":"John-David Dalton. 2009. Lodash. Retrieved from https:\/\/www.npmjs.com\/package\/lodash"},{"key":"e_1_3_3_55_2","unstructured":"John-David Dalton. 2009. Lodash: A Modern JavaScript Utility Library. Retrieved from https:\/\/lodash.com\/"},{"key":"e_1_3_3_56_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2002.1019480"},{"key":"e_1_3_3_57_2","volume-title":"NDSS\u201922","author":"Kang Zifeng","year":"2022","unstructured":"Zifeng Kang, Song Li, and Yinzhi Cao. 2022. Probe the proto: Measuring client-side prototype pollution vulnerabilities of one million real-world websites. In NDSS\u201922."},{"key":"e_1_3_3_58_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2878020"},{"key":"e_1_3_3_59_2","unstructured":"Kestrel Technology. 2020. CodeHawk Tool Suite. Retrieved from https:\/\/github.com\/static-analysis-engineering\/codehawk"},{"key":"e_1_3_3_60_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-020-00537-0"},{"key":"e_1_3_3_61_2","first-page":"1","article-title":"Software vulnerability detection methodology combined with static and dynamic analysis","volume":"89","author":"Kim Seokmo","year":"2016","unstructured":"Seokmo Kim, R. Kim, and Young Park. 2016. Software vulnerability detection methodology combined with static and dynamic analysis. Wirel. Person. Commun. 89 (Aug.2016), 1\u201317.","journal-title":"Wirel. Person. Commun."},{"key":"e_1_3_3_62_2","first-page":"595","volume-title":"IEEE S&P\u201917","author":"Kim Seulbae","year":"2017","unstructured":"Seulbae Kim, Seunghoon Woo, Heejo Lee, and Hakjoo Oh. 2017. VUDDY: A scalable approach for vulnerable code clone discovery. In IEEE S&P\u201917. 595\u2013614."},{"key":"e_1_3_3_63_2","first-page":"135","volume-title":"NSS\u201913","author":"Kirrage James","year":"2013","unstructured":"James Kirrage, Asiri Rathnayake Mudiyanselage, and Hayo Thielecke. 2013. Static analysis for regular expression denial-of-service attacks. In NSS\u201913. 135\u2013148."},{"key":"e_1_3_3_64_2","volume-title":"ASIA CCS\u201922","author":"Kluban Maryna","year":"2022","unstructured":"Maryna Kluban, Mohamman Mannan, and Amr Youssef. 2022. On measuring vulnerable JavaScript functions in the wild. In ASIA CCS\u201922."},{"key":"e_1_3_3_65_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2018.08.227"},{"key":"e_1_3_3_66_2","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.3532"},{"key":"e_1_3_3_67_2","first-page":"310","volume-title":"ICSE\u201912","author":"Li Jingyue","year":"2012","unstructured":"Jingyue Li and Michael D. Ernst. 2012. CBCD: Cloned buggy code detector. In ICSE\u201912. 310\u2013320."},{"key":"e_1_3_3_68_2","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468542"},{"key":"e_1_3_3_69_2","volume-title":"USENIX Security\u201922","author":"Li Song","year":"2022","unstructured":"Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2022. Mining node.js vulnerabilities via object dependence graph and query. In USENIX Security\u201922."},{"key":"e_1_3_3_70_2","first-page":"3847","volume-title":"USENIX Security\u201921","author":"Li Yeting","year":"2021","unstructured":"Yeting Li, Zixuan Chen, Jialun Cao, Zhiwu Xu, Qiancheng Peng, Haiming Chen, Liyuan Chen, and Shing-Chi Cheung. 2021. ReDoSHunter: A combined static and dynamic approach for regular expression DoS detection. In USENIX Security\u201921. 3847\u20133864."},{"key":"e_1_3_3_71_2","first-page":"1468","volume-title":"IEEE S&P\u201921","author":"Liu Yinxi","year":"2021","unstructured":"Yinxi Liu, Mingxue Zhang, and Wei Meng. 2021. Revealer: Detecting and exploiting regular expression denial-of-service vulnerabilities. In IEEE S&P\u201921. 1468\u20131484."},{"key":"e_1_3_3_72_2","unstructured":"Veracode LLC. 2006. Veracode Static Analysis. Retrieved from https:\/\/www.veracode.com\/products\/binary-static-analysis-sast"},{"key":"e_1_3_3_73_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jksuci.2023.01.009"},{"key":"e_1_3_3_74_2","unstructured":"Sebastian McKenzie. 2014. Babel the JavaScript Compiler. Retrieved from https:\/\/babeljs.io\/"},{"key":"e_1_3_3_75_2","volume-title":"USENIX Security\u201922","author":"McLaughlin Robert","year":"2022","unstructured":"Robert McLaughlin, Fabio Pagani, Noah Spahn, Christopher Kruegel, and Giovanni Vigna. 2022. Regulator: Dynamic analysis to detect ReDoS. In USENIX Security\u201922."},{"key":"e_1_3_3_76_2","article-title":"Modeling functional similarity in source code with graph-based siamese networks","author":"Mehrotra Nikita","year":"2021","unstructured":"Nikita Mehrotra, Navdha Agarwal, Piyush Gupta, Saket Anand, David Lo, and Rahul Purandare. 2021. Modeling functional similarity in source code with graph-based siamese networks. IEEE Trans. Softw. Eng. (Aug.2021).","journal-title":"IEEE Trans. Softw. Eng."},{"key":"e_1_3_3_77_2","volume-title":"ICLR\u201913","author":"Mikolov Tom\u00e1s","year":"2013","unstructured":"Tom\u00e1s Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. In ICLR\u201913."},{"key":"e_1_3_3_78_2","unstructured":"MITRE. 2006. Common Weakness Enumeration. Retrieved from https:\/\/cwe.mitre.org\/"},{"key":"e_1_3_3_79_2","unstructured":"MITRE. 2021. Common Vulnerabilities and Exposures. Retrieved from https:\/\/cve.mitre.org\/"},{"key":"e_1_3_3_80_2","first-page":"15","volume-title":"ICCQ","author":"Mosolyg\u00f3 Bal\u00e1zs","year":"2021","unstructured":"Bal\u00e1zs Mosolyg\u00f3, Norbert V\u00e1ndor, G\u00e1bor Antal, P\u00e9ter Heged\u0171s, and Rudolf Ferenc. 2021. Towards a prototype based explainable JavaScript vulnerability prediction model. In ICCQ. 15\u201325."},{"key":"e_1_3_3_81_2","unstructured":"Mozilla. 2021. Polyfill. Retrieved from https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/Polyfill"},{"key":"e_1_3_3_82_2","first-page":"311","volume-title":"ACM CCS\u201906","author":"Newsome James","year":"2006","unstructured":"James Newsome, David Brumley, Jason Franklin, and Dawn Song. 2006. Replayer: Automatic protocol replay by binary analysis. In ACM CCS\u201906. 311\u2013321."},{"key":"e_1_3_3_83_2","unstructured":"npm. 2010. Node Package Registry. Retrieved from https:\/\/www.npmjs.com\/"},{"key":"e_1_3_3_84_2","unstructured":"npm. 2018. The Node Security Platform Service is Shutting Down. Retrieved from https:\/\/blog.npmjs.org\/post\/175511531085\/insert-title-here.html"},{"key":"e_1_3_3_85_2","unstructured":"Chris O\u2019Hara. 2018. Validator.js. Retrieved from https:\/\/github.com\/validatorjs\/validator.js"},{"key":"e_1_3_3_86_2","unstructured":"OSA 2018. OpenStaticAnalyzer. Retrieved from https:\/\/openstaticanalyzer.github.io\/"},{"key":"e_1_3_3_87_2","unstructured":"The Node Security Platform. 2017. ESLint Security Plugin. Retrieved from https:\/\/www.npmjs.com\/package\/eslint-plugin-security"},{"key":"e_1_3_3_88_2","volume-title":"NDSS\u201919","author":"Pochat Victor Le","year":"2019","unstructured":"Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczy\u0144ski, and Wouter Joosen. 2019. Tranco\u2014A research-oriented top sites ranking hardened against manipulation. In NDSS\u201919."},{"key":"e_1_3_3_89_2","unstructured":"PortSwigger.net. 2021. DOM-based Open Redirection. Retrieved from https:\/\/portswigger.net\/web-security\/dom-based\/open-redirection"},{"key":"e_1_3_3_90_2","unstructured":"Niels Provos. 2015. A JavaScript-based DDoS Attack as Seen by Safe Browsing. Retrieved from https:\/\/security.googleblog.com\/2015\/04\/a-javascript-based-ddos-attack-as-seen.html"},{"key":"e_1_3_3_91_2","unstructured":"Andris Reinman. 2014. NODEMAILER Send Emails from Node.js \u2013 Easy as Cake! Retrieved from https:\/\/nodemailer.com\/"},{"key":"e_1_3_3_92_2","first-page":"757","volume-title":"ICMLA\u201918","author":"Russell Rebecca","year":"2018","unstructured":"Rebecca Russell, Louis Kim, Lei Hamilton, Tomo Lazovich, Jacob Harer, Onur Ozdemir, Paul Ellingwood, and Marc McConley. 2018. Automated vulnerability detection in source code using deep representation learning. In ICMLA\u201918. 757\u2013762."},{"key":"e_1_3_3_93_2","unstructured":"SonarSource S.A. 2008. SonarCube: Code Security for Developers. Retrieved from https:\/\/www.sonarqube.org\/features\/security\/"},{"key":"e_1_3_3_94_2","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884877"},{"key":"e_1_3_3_95_2","first-page":"1","volume-title":"WODA+PERTEA\u201914","author":"Sasnauskas Raimondas","year":"2014","unstructured":"Raimondas Sasnauskas and John Regehr. 2014. Intent fuzzer: Crafting intents of death. In WODA+PERTEA\u201914. 1\u20135."},{"key":"e_1_3_3_96_2","first-page":"513","volume-title":"IEEE S&P\u201910","author":"Saxena Prateek","year":"2010","unstructured":"Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010. A symbolic execution framework for JavaScript. In IEEE S&P\u201910. 513\u2013528."},{"key":"e_1_3_3_97_2","unstructured":"Scott Sauyet Buzz de Cafe. 2020. Ramda. Retrieved from https:\/\/ramdajs.com\/"},{"key":"e_1_3_3_98_2","unstructured":"Semgrep.dev. 2020. Semgrep\u2013Find Bugs and Enforce Code Standards. Retrieved from https:\/\/semgrep.dev\/docs\/"},{"key":"e_1_3_3_99_2","doi-asserted-by":"publisher","DOI":"10.1145\/2491411.2491447"},{"key":"e_1_3_3_100_2","volume-title":"USENIX Security\u201923","author":"Shcherbakov Mikhail","year":"2023","unstructured":"Mikhail Shcherbakov, Musard Balliu, and Cristian-Alexandru Staicu. 2023. Silent spring: Prototype pollution leads to remote code execution in node.js. In USENIX Security\u201923."},{"key":"e_1_3_3_101_2","unstructured":"Sheetjs LLC. 2012. SheetJS Community Edition \u2013 Spreadsheet Data Toolkit. Retrieved from https:\/\/github.com\/SheetJS\/sheetjs\/"},{"key":"e_1_3_3_102_2","first-page":"225","volume-title":"ACM\/IEEE ASE\u201918","author":"Shen Yuju","year":"2018","unstructured":"Yuju Shen, Yanyan Jiang, Chang Xu, Ping Yu, Xiaoxing Ma, and Jian Lu. 2018. ReScue: Crafting regular expression DoS attacks. In ACM\/IEEE ASE\u201918. 225\u2013235."},{"key":"e_1_3_3_103_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA.2016.0185"},{"key":"e_1_3_3_104_2","unstructured":"Snyk.io. 2015. Snyk Vulnerability Database. Retrieved from https:\/\/snyk.io\/product\/vulnerability-database\/"},{"key":"e_1_3_3_105_2","unstructured":"Snyk.io. 2018. GitHub Snyk Vulnerability Database. Retrieved from https:\/\/github.com\/snyk\/vulnerabilitydb"},{"key":"e_1_3_3_106_2","unstructured":"Snyk.io. 2018. Prototype Pollution in merge mergeWith and defaultsDeep Lodash. Retrieved from https:\/\/snyk.io\/vuln\/SNYK-DOTNET-LODASH-540455"},{"key":"e_1_3_3_107_2","unstructured":"Snyk.io. 2019. Prototype Pollution in defaultsDeep Lodash. Retrieved from https:\/\/snyk.io\/vuln\/SNYK-DOTNET-LODASH-540457"},{"key":"e_1_3_3_108_2","unstructured":"Snyk.io. 2020. Prototype Pollution in set\/setWith Lodash. Retrieved from https:\/\/snyk.io\/vuln\/SNYK-JS-LODASH-608086"},{"key":"e_1_3_3_109_2","unstructured":"Snyk.io. 2020. Prototype Pollution in zipObjectDeep Lodash. Retrieved from https:\/\/snyk.io\/vuln\/SNYK-JS-LODASH-590103"},{"key":"e_1_3_3_110_2","unstructured":"Softwaretestinghelp.com. 2021. JavaScript Injection Tutorial: Test and Prevent JS Injection Attacks on Website. Retrieved from https:\/\/www.softwaretestinghelp.com\/javascript-injection-tutorial\/"},{"key":"e_1_3_3_111_2","first-page":"293","volume-title":"IEEE TrustCom\u201920","author":"Song Xiaonan","year":"2020","unstructured":"Xiaonan Song, Aimin Yu, Haibo Yu, Shirun Liu, Xin Bai, Lijun Cai, and Dan Meng. 2020. Program slice based vulnerable code clone detection. In IEEE TrustCom\u201920. 293\u2013300."},{"key":"e_1_3_3_112_2","unstructured":"Stackoverflow.com. 2020. Developer Survey. Retrieved from https:\/\/insights.stackoverflow.com\/survey\/2020#most-popular-technologies"},{"key":"e_1_3_3_113_2","first-page":"361","volume-title":"USENIX Security\u201918","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the web: A study of ReDoS vulnerabilities in JavaScript-based web servers. In USENIX Security\u201918. 361\u2013376."},{"key":"e_1_3_3_114_2","first-page":"1","volume-title":"NDSS","author":"Stephens Nick","year":"2016","unstructured":"Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS. 1\u201316."},{"key":"e_1_3_3_115_2","unstructured":"Bryan Sullivan. 2010. SDL Regex Fuzzer. Retrieved from https:\/\/www.microsoft.com\/security\/blog\/2010\/10\/12\/new-tool-sdl-regex-fuzzer\/"},{"key":"e_1_3_3_116_2","unstructured":"Superhuman Labs. 2016. RXXR2 Regular Expression Static Analyzer. Retrieved from https:\/\/github.com\/superhuman\/rxxr2"},{"key":"e_1_3_3_117_2","unstructured":"Yargs team. 2016. yargs-parser. Retrieved from https:\/\/github.com\/yargs\/yargs-parser"},{"key":"e_1_3_3_118_2","first-page":"134","volume-title":"TAP\u201908","author":"Tillmann Nikolai","year":"2008","unstructured":"Nikolai Tillmann and Jonathan de Halleux. 2008. Pex\u2013White box test generation for .NET. In TAP\u201908. 134\u2013153."},{"key":"e_1_3_3_119_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196431"},{"key":"e_1_3_3_120_2","first-page":"512","volume-title":"IEEE SANER\u201918","author":"Vislavski Tijana","year":"2018","unstructured":"Tijana Vislavski, Gordana Rakic, Nicol\u00e1s Cardozo, and Zoran Budimac. 2018. LICCA: A tool for cross-language clone detection. In IEEE SANER\u201918. 512\u2013516."},{"key":"e_1_3_3_121_2","unstructured":"W3Techs. 2021. Usage Statistics of JavaScript as Client-side Programming Language on Websites. Retrieved from https:\/\/w3techs.com\/technologies\/details\/cp-javascript"},{"key":"e_1_3_3_122_2","first-page":"497","volume-title":"IEEE S&P\u201910","author":"Wang Tielei","year":"2010","unstructured":"Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In IEEE S&P\u201910. 497\u2013512."},{"key":"e_1_3_3_123_2","first-page":"Springer, 322\u20133","volume-title":"Implementation and Application of Automata","author":"Weideman Nicolaas","year":"2016","unstructured":"Nicolaas Weideman, Brink Van Der Merwe, Martin Berglund, and Bruce Watson. 2016. Analyzing matching time behavior of backtracking regular expression matchers by using ambiguity of NFA. In Implementation and Application of Automata. Springer, 322\u2013334."},{"key":"e_1_3_3_124_2","unstructured":"Adar Weidman. 2019. Regular Expression Denial of Service - ReDoS. Retrieved from https:\/\/owasp.org\/www-community\/attacks\/Regular_expression_Denial_of_Service_-_ReDoS"},{"key":"e_1_3_3_125_2","first-page":"590","volume-title":"IEEE S&P\u201914","author":"Yamaguchi Fabian","year":"2014","unstructured":"Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. 2014. Modeling and discovering vulnerabilities with code property graphs. In IEEE S&P\u201914. 590\u2013604."},{"key":"e_1_3_3_126_2","unstructured":"Yeoman team. 2012. grunt-usemin. Retrieved from https:\/\/www.npmjs.com\/package\/grunt-usemin\/"},{"key":"e_1_3_3_127_2","first-page":"559","volume-title":"IEEE ICSME\u201918","author":"Zapata Rodrigo Elizalde","year":"2018","unstructured":"Rodrigo Elizalde Zapata, Raula Gaikovina Kula, Bodin Chinthanet, Takashi Ishio, Kenichi Matsumoto, and Akinori Ihara. 2018. Towards smoother library migrations: A look at vulnerable dependency migrations at function level for NPM JavaScript Packages. In IEEE ICSME\u201918. 559\u2013563."},{"key":"e_1_3_3_128_2","first-page":"619","volume-title":"IEEE SANER\u201919","author":"Zerouali Ahmed","year":"2019","unstructured":"Ahmed Zerouali, Valerio Cosentino, Tom Mens, Gregorio Robles, and Jes\u00fas M. Gonz\u00e1lez-Barahona. 2019. On the impact of outdated and vulnerable JavaScript packages in docker images. In IEEE SANER\u201919. 619\u2013623."},{"key":"e_1_3_3_129_2","unstructured":"Matt Zeunert. 2016. FromJS. Retrieved from https:\/\/www.fromjs.com\/"},{"key":"e_1_3_3_130_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11859-019-1380-z"},{"key":"e_1_3_3_131_2","first-page":"10197","volume-title":"NIPS\u201919","author":"Zhou Yaqin","year":"2019","unstructured":"Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. 2019. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In NIPS\u201919. 10197\u201310207."},{"key":"e_1_3_3_132_2","first-page":"995","volume-title":"USENIX Security\u201919","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the NPM ecosystem. In USENIX Security\u201919. 995\u20131010."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3630253","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3630253","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:45:52Z","timestamp":1750178752000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3630253"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,2,5]]},"references-count":131,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,2,29]]}},"alternative-id":["10.1145\/3630253"],"URL":"https:\/\/doi.org\/10.1145\/3630253","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,2,5]]},"assertion":[{"value":"2022-08-03","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-10-20","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-02-05","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}