Using Historical Information for Fuzzing JavaScript Engines

Bruno Gonçalves de Oliveira; Andre Endo; Silvia Vergilio

doi:10.5220/0013417700003929

Using Historical Information for Fuzzing JavaScript Engines

Bruno Gonçalves de Oliveira, Andre Endo, Silvia Vergilio

2025

Abstract

JavaScript is a programming language commonly used to add interactivity and dynamic functionality to websites. It is a high-level, dynamically-typed language, well-suited for building complex, client-side applications and supporting server-side development. JavaScript engines are responsible for executing JavaScript code and are a significant target for attackers who want to exploit vulnerabilities in web applications. A popular approach adopted to discover vulnerabilities in JavaScript is fuzzing, which involves generating and executing large volumes of tests in an automated manner. Most fuzzing tools are guided by code coverage but they usually treat the code parts equally, without prioritizing any code area. In this work, we propose a novel fuzzing approach, namely JSTargetFuzzer, designed to assess JavaScript engines by targeting specific source code files. It leverages historical information from past security-related commits to guide the input generation in the fuzzing process, focusing on code areas more prone to security issues. Our results provide evidence that JSTargetFuzzer hits these specific areas from 3.61% to 16.17% more than a state-of-the-art fuzzer, and covers from 1.46% to 15.09% more branches. By the end, JSTargetFuzzer also uncovered one vulnerability not found by the baseline approach within the same time frame.

Download

Paper Citation

in Harvard Style

Gonçalves de Oliveira B., Endo A. and Vergilio S. (2025). Using Historical Information for Fuzzing JavaScript Engines. In Proceedings of the 27th International Conference on Enterprise Information Systems - Volume 2: ICEIS; ISBN 978-989-758-749-8, SciTePress, pages 59-70. DOI: 10.5220/0013417700003929

in Bibtex Style

@conference{iceis25,
author={Bruno Gonçalves de Oliveira and Andre Endo and Silvia Vergilio},
title={Using Historical Information for Fuzzing JavaScript Engines},
booktitle={Proceedings of the 27th International Conference on Enterprise Information Systems - Volume 2: ICEIS},
year={2025},
pages={59-70},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0013417700003929},
isbn={978-989-758-749-8},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 27th International Conference on Enterprise Information Systems - Volume 2: ICEIS
TI - Using Historical Information for Fuzzing JavaScript Engines
SN - 978-989-758-749-8
AU - Gonçalves de Oliveira B.
AU - Endo A.
AU - Vergilio S.
PY - 2025
SP - 59
EP - 70
DO - 10.5220/0013417700003929
PB - SciTePress