Extracting Taint Specifications for JavaScript Libraries

Cristian Alexandru Staicu, Martin Toldam Torp, Max Schafer, Anders Møller, Michael Pradel

Research output: Contribution to book/anthology/report/proceedingArticle in proceedingsResearchpeer-review

237 Downloads (Pure)


Modern JavaScript applications extensively depend on third-party libraries. Especially for the Node.js platform, vulnerabilities can have severe consequences to the security of applications, resulting in, e.g., cross-site scripting and command injection attacks. Existing static analysis tools that have been developed to automatically detect such issues are either too coarse-grained, looking only at package dependency structure while ignoring dataflow, or rely on manually written taint specifications for the most popular libraries to ensure analysis scalability. In this work, we propose a technique for automatically extracting taint specifications for JavaScript libraries, based on a dynamic analysis that leverages the existing test suites of the libraries and their available clients in the npm repository. Due to the dynamic nature of JavaScript, mapping observations from dynamic analysis to taint specifications that fit into a static analysis is non-trivial. Our main insight is that this challenge can be addressed by a combination of an access path mechanism that identifies entry and exit points, and the use of membranes around the libraries of interest. We show that our approach is effective at inferring useful taint specifications at scale. Our prototype tool automatically extracts 146 additional taint sinks and 7 840 propagation summaries spanning 1 393 npm modules. By integrating the extracted specifications into a commercial, state-of-the-art static analysis, 136 new alerts are produced, many of which correspond to likely security vulnerabilities. Moreover, many important specifications that were originally manually written are among the ones that our tool can now extract automatically.

Original languageEnglish
Title of host publicationICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering
Number of pages12
Place of publicationNew York
PublisherAssociation for Computing Machinery
Publication dateJun 2020
Article number3380390
ISBN (Electronic)9781450371216
Publication statusPublished - Jun 2020
Event42nd ACM/IEEE International Conference on Software Engineering, ICSE 2020 - Virtual, Online, Korea, Republic of
Duration: 27 Jun 202019 Jul 2020


Conference42nd ACM/IEEE International Conference on Software Engineering, ICSE 2020
Country/TerritoryKorea, Republic of
CityVirtual, Online
SponsorACM Special Interest Group on Software Engineering (SIGSOFT), IEEE Computer Society Technical Council on Software Engineering (TCSE), Korean Institute of Information Scientists and Engineers (KIISE)
SeriesProceedings - International Conference on Software Engineering


  • Dynamic analysis
  • Static analysis
  • Taint analysis


Dive into the research topics of 'Extracting Taint Specifications for JavaScript Libraries'. Together they form a unique fingerprint.

Cite this