Date of Award

5-2025

Degree Type

Thesis

Degree Name

Master of Science – Cyber Security

Department

College of Science and Mathematics

First Advisor

Christopher Ivancic

Second Advisor

Pushkar Ogale

Third Advisor

Nikki Shoemaker

Fourth Advisor

Jianjun Zheng

Abstract

Web applications commonly rely on third-party software dependencies to reduce development time. This thesis examines how vulnerabilities in a dependency chain propagate to compromise an application. It analyzes two vulnerable Markdown libraries from the npm and Composer dependency ecosystems, both of which are used for managing packages in applications developed with JavaScript and PHP. The analysis demonstrates how each library’s sanitizing functions—intended for removing unsafe user input when transforming Markdown text to HTML—are defeated to achieve a cross-site scripting exploit and take control of the application. The paper discusses potential business impacts of a compromise, underscoring the need for security improvements, and it presents strategies for mitigating dependency related vulnerabilities. These solutions focus on package management tools available to developers, and they advocate implementing emerging security standards as part of the development life cycle.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Download

Share

COinS

Tell us how this article helped you.

 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.