Dependency management in modern software development poses many challenges for developers who wish to stay up date with the latest features and fixes whilst ensuring backwards compatibility. Project maintainers have opted varied, sometimes conflicting, approaches maintaining their dependencies. Opting unsuitable can introduce bugs vulnerabilities into project, breaking changes, cause extraneous...

JavaScript is a popular scripting language for creating dynamic and interactive web pages. Unfortunately, JavaScript also provides the ground for web-based attacks that exploit vulnerabilities in web browsers and unnoticeably infect users with malicious software. Regular security tools, such as anti-virus scanners, increasingly fail to fend off this threat, as they are unable to cope with the r...

Clientside scripting languages such as JavaScript are ubiquitous in modern, internet-connected computing, but pose a definite security risk to those who allow their execution. The widespread inclusion of thirdparty scripts into major websites increases the risks of malicious scripts interfering with the desired behavior of a page, and consequently decreases the level of security available to we...

Researchers have developed several special-purpose type systems and program logics to analyze JavaScript and other dynamically typed programming languages. Still, no prior system can precisely reason about both higher-order programs and mutable state; each system comes with its own delicate soundness proof (when such proofs are provided at all); and tools based on these theories (when they exis...

Instruction Set Randomization (ISR) is a promising technique for preventing code-injection attacks. In this paper we present a complete randomization framework for JavaScript aiming at detecting and preventing Cross-Site Scripting (XSS) attacks. RaJa randomizes JavaScript source without changing the code structure. Only JavaScript identifiers are carefully modified and the randomized code can b...

Heap-spraying is an attack technique that exploits memory corruptions in web browsers. A realtime detection of heap-spraying is difficult because of dynamic nature of JavaScript and monitoring overheads. In this paper, we propose a runtime detector of heap-spraying attacks in web browsers. We build a string trace graph by tracing all string objects and string operations in JavaScript. The graph...