Sok: Taxonomy of attacks on open-source software supply chains
The widespread dependency on open-source software makes it a fruitful target for malicious
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
actors, as demonstrated by recurring attacks. The complexity of today's open-source supply …
Small world with high risks: A study of security threats in the npm ecosystem
M Zimmermann, CA Staicu, C Tenny… - 28th USENIX Security …, 2019 - usenix.org
The popularity of JavaScript has lead to a large ecosystem of third-party packages available
via the npm software package registry. The open nature of npm has boosted its growth …
via the npm software package registry. The open nature of npm has boosted its growth …
Empirical analysis of security vulnerabilities in python packages
Software ecosystems play an important role in modern software development, providing an
open platform of reusable packages that speed up and facilitate development tasks …
open platform of reusable packages that speed up and facilitate development tasks …
Towards measuring supply chain attacks on package managers for interpreted languages
R Duan, O Alrawi, RP Kasturi, R Elder… - arxiv preprint arxiv …, 2020 - arxiv.org
Package managers have become a vital part of the modern software development process.
They allow developers to reuse third-party code, share their own code, minimize their …
They allow developers to reuse third-party code, share their own code, minimize their …
Pycg: Practical call graph generation in python
V Salis, T Sotiropoulos, P Louridas… - 2021 IEEE/ACM …, 2021 - ieeexplore.ieee.org
Call graphs play an important role in different contexts, such as profiling and vulnerability
propagation analysis. Generating call graphs in an efficient manner can be a challenging …
propagation analysis. Generating call graphs in an efficient manner can be a challenging …
Silent spring: Prototype pollution leads to remote code execution in Node. js
Prototype pollution is a dangerous vulnerability affecting prototype-based languages like
JavaScript and the Node. js platform. It refers to the ability of an attacker to inject properties …
JavaScript and the Node. js platform. It refers to the ability of an attacker to inject properties …
Modular call graph construction for security scanning of node. js applications
Most of the code in typical Node. js applications comes from third-party libraries that consist
of a large number of interdependent modules. Because of the dynamic features of …
of a large number of interdependent modules. Because of the dynamic features of …
Freezing the Web: a study of {ReDoS} vulnerabilities in {JavaScript-based} web servers
Regular expression denial of service (ReDoS) is a class of algorithmic complexity attacks
where matching a regular expression against an attacker-provided input takes unexpectedly …
where matching a regular expression against an attacker-provided input takes unexpectedly …
Detecting node. js prototype pollution vulnerabilities via object lookup analysis
Prototype pollution is a type of vulnerability specific to prototype-based languages, such as
JavaScript, which allows an adversary to pollute a base object's property, leading to a further …
JavaScript, which allows an adversary to pollute a base object's property, leading to a further …
Mining node. js vulnerabilities via object dependence graph and query
Node. js is a popular non-browser JavaScript platform that provides useful but sometimes
also vulnerable packages. On one hand, prior works have proposed many program analysis …
also vulnerable packages. On one hand, prior works have proposed many program analysis …