Synode: understanding and automatically preventing injection attacks on Node.js Staicu et al., NDSS’18
We show that injection vulnerabilities are prevalent in practice, both due to eval, which was previously studied for browser code, and due to the powerful exec API introduced in Node.js. Our study suggests that thousands of modules may be vulnerable to command injection attacks and that fixing them takes a long time, even for popular projects.
The Synode tool developed by the authors combines static analysis with runtime protection to defend against such attacks. You can