The detection of security vulnerabilities in JavaScript web applications is a rapidly advancing field, with new vulnerability-detection techniques emerging each year. However, the lack of realistic, large-scale ground-truth datasets of vulnerabilities remains a significant barrier that hinders the scientific progress in this area. Existing benchmarks are either limited to code fragments or libraries, rely on synthetic bugs that may not fully reflect the complexity of real-world faults, or require labor-intensive manual curation, severely hampering reproducibility and scalability. As a result, the true capabilities and limitations of modern vulnerability detection tools for JavaScript remain largely unknown. In this work, we present JAVULIN, the first semi-automated framework for generating datasets of application-level JavaScript vulnerabilities at scale, using vulnerability injection. By transplanting known library-level flaws into diverse, dynamically analyzed target web applications, our approach creates proof-carrying, realistic benchmarks that capture the genuine complexity of real-world JavaScript vulnerabilities. We systematically instrument and explore each target application to identify and select viable injection points, automatically compile a portfolio containing hundreds of seed vulnerabilities, and fully automate the injection of vulnerabilities and the generation of proof-of-concept HTTP- level exploits. With this work, we aim to enable the creation of large, realistic JavaScript security benchmarks that strive to challenge state-of-the-art analysis at an unprecedented scale.
Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) 2026
2026-02-27
2026-06-24