The safe maintenance of Node.js modules is critical in the software security industry. Most server-side web applications are built on Node.js, an environment that is highly dependent on modules. However, there is clear lack of research on Node.js module security. This study focuses particularly on prototype pollution vulnerability, which is an emerging security vulnerability type that has also not been studied widely. To this point, the main goal of this paper is to propose patterns that can identify prototype pollution vulnerabilities. We developed an automatic static analysis tool called DAPP, which targets all the real-world modules registered in the Node Package Manager. DAPP can discover the proposed patterns in each Node.js module in a matter of a few seconds, and it mainly performs and integrates a static analysis based on abstract syntax tree and control flow graph. This study suggests an improved and efficient analysis methodology. We conducted multiple empirical tests to evaluate and compare our state-of-the-art methodology with previous analysis tools, and we found that our tool is exhaustive and works well with modern JavaScript syntax. To this end, our research demonstrates how DAPP found over 37 previously undiscovered prototype pollution vulnerabilities among 30,000 of the most downloaded Node.js modules. To evaluate DAPP, we expanded the experiment and ran our tool on 100,000 Node.js modules. The evaluation results show a high level of performance for DAPP along with the root causes for false positives and false negatives. Finally, we reported the 37 vulnerabilities, respectively, and obtained 24 CVE IDs mostly with 9.8 CVSS scores.

Node.js模块的安全维护对于软件安全行业至关重要。大多数服务器端Web应用程序都基于Node.js构建，Node.js是高度依赖模块的环境。但是，显然缺乏对Node.js模块安全性的研究。本研究特别关注原型污染漏洞，这是一种新兴的安全漏洞类型，尚未得到广泛研究。到目前为止，本文的主要目标是提出可以识别原型污染漏洞的模式。我们开发了一种称为DAPP的自动静态分析工具，该工具针对在Node Package Manager中注册的所有实际模块。DAPP可以在几秒钟内发现每个Node.js模块中的建议模式，它主要执行和集成基于抽象语法树和控制流图的静态分析。这项研究提出了一种改进和有效的分析方法。我们进行了多次实证测试，以评估最新技术方法并将其与以前的分析工具进行比较，我们发现我们的工具非常详尽，并且可以与现代JavaScript语法很好地兼容。为此，我们的研究证明了DAPP如何在30,000个下载量最大的Node.js模块中发现了37个先前未发现的原型污染漏洞。为了评估DAPP，我们扩展了实验并在100,000个Node.js模块上运行了我们的工具。评估结果显示了DAPP的高水平性能以及误报和误报的根本原因。最后，我们分别报告了37个漏洞，