Test Suites Guided Vulnerability Validation for Node.js Applications
Abstract: Dynamic methods have shown great promise in validating vulnerabilities and generating Proof-of-Concept (PoC) exploits of Node.js applications. They typically rely on dictionaries or specifications to determine the values of request parameters and their relationships. However, they still struggle to generate complex inputs from the provided dictionaries or specifications.This work introduces a novel approach that utilizes existing test suites to automatically generate end-to-end application inputs for vulnerability validation. Our key observation is that Node.js applications often provide comprehensive test suites - in our study, the unit testing code can cover an average of 85% of application code - which can hardly be achieved by existing dynamic methods. We thus design a new system, JSGo, that leverages test suites to construct end-to-end test inputs. Since test suites directly invoke application code instead of issuing requests from client-accessible entry points, we cannot simply transform test suites into application inputs. We instead propose a novel trace-guided mutation mechanism based on concolic execution.Our evaluation demonstrates that JSGo could reproduce 20 out of 26 known vulnerabilities, which significantly outperformed the state-of-the-art methods Restler, Miner, Witcher, and Burp by 10, 12, 11, 10 more cases, respectively. We also applied JSGo to validate static analysis results in popular Node.js applications such as hexo. It successfully validated seven vulnerabilities, two of which have been patched because of our reports.
Loading