In this project:
- We described the "Event Handler Poisoning" (EHP) attack on server-side programs that use the event-driven architecture -- for example, many Node.js applications fit this description.
- We identified many examples of possible EHP vectors in the snyk.io vulnerability database.
- We explored First-Class Timeouts as an approach to detecting and responding to EHP attacks.
- We documented potential EHP vectors among Node.js core APIs, changed the implementation of
fs.readFile, and prepared a guide about EHP attacks for nodejs.org.
The reproducibility package consists of three repositories: