Understanding and Automatically Preventing Injection Attacks on Node.js

Cristian-Alexandru Staicu, Michael Pradel, Ben Livshits

TUD-CS-2016-14663 |

The NODE.JS ecosystem has lead to the creation of many modern applications, such as server-side web applications and desktop applications. Unlike client-side JavaScript code, NODE.JS applications can interact freely with the operating system without the benefits of a security sandbox. The complex interplay between NODE.JS modules leads to subtle injection vulnerabilities being introduced across module boundaries. This paper presents a large-scale study across 235,850 NODE.JS modules to explore such vulnerabilities. We show that injection vulnerabilities are prevalent in practice, both due to eval, which was previously studied for browser code, and due to the powerful exec API introduced in NODE.JS. Our study shows that thousands of modules may be vulnerable to command injection attacks and that even for popular projects it takes long time to fix the problem. Motivated by these findings, we present SYNODE, an automatic mitigation technique that combines static analysis and runtime enforcement of security policies for allowing vulnerable modules to be used in a safe way. The key idea is to statically compute a template of values passed to APIs that are prone to injections, and to synthesize a grammar-based runtime policy from these templates. Our mechanism does not require the modification of the NODE.JS platform, is fast (sub-millisecond runtime overhead), and protects against attacks of vulnerable modules while inducing very few false positives (less than 10%).