Senapati Diwangkara (Johns Hopkins University), Yinzhi Cao (Johns Hopkins University)
Single Page Application (SPA) frameworks allow developers to build complex web applications in a single HTML page with high-level components (e.g., search box). One research problem for SPAs is how to detect taint-style vulnerabilities, because the SPA framework reintroduces insecure DOM APIs in a new format, such as SPA component parameters as taint sinks. Although previous work has focused on improving vulnerability detection in SPAs, to the best of our knowledge, they rely heavily on hard-coded taint sinks, which not only need to be manually curated for each different SPA framework but may also miss certain insecure SPA APIs, introducing false negatives in detected vulnerabilities.
In this paper, we present TranSPArent, an SPA vulnerability detection tool that automatically abstracts SPA frameworks using a combination of static and dynamic analysis to reveal framework-specific sinks, thus facilitating end-to-end static vulnerability detection. TranSPArent first performs a backward taint analysis from a list of insecure DOM APIs up to the framework interface to reveal which part of the interface could taint the DOM API. This automated framework abstraction is done once per SPA framework. Then, TranSPArent finds dataflow paths between the detected SPA sinks and attacker-controlled sources to detect taint-style vulnerabilities in each application. We evaluated TranSPArent against a database of GitHub repositories and found 11 zero-day vulnerabilities, including a repository with 24k+ GitHub stargazers and 30 million requests/month. So far, four zero-day vulnerabilities has been fixed and/or acknowledged by their developers.
During our evaluation, TranSPArent found a total of 19 intermediate SPA sinks from the three most widely used SPA frameworks, Vue, React, and Angular. 14 of the newly discovered sinks are not listed by the CodeQL standard library, the state-of-the-art static analysis tool.