A Survey of Fuzzing Tools for JavaScript Engines

Bruno Gonçalves Oliveira; Silvia Regina Vergilio; André T. Endo

Bruno Gonçalves Oliveira UFPR
Silvia Regina Vergilio UFPR
André T. Endo UFSCar

Resumo

JavaScript is a critical programming language to Web applications. Code written in this language is processed and executed by specialized engines. Because these engines are complex and may contain vulnerabilities that enable attacks on end-user browsers or server-side applications, fuzzing has become the main technique to uncover security issues. Nevertheless, there is a lack of studies that characterize existing fuzzing tools for JavaScript engines and their main particularities. In this paper, we survey state-of-the-art fuzzing tools for JavaScript engines. For the 19 fuzzers identified, we analyze several dimensions related to the fuzzing steps, implementation details, and the benchmarks used. A variety of fuzzing techniques are employed, making the fuzzers more efficient and targeting specific classes of vulnerabilities. Popular JavaScript engines such as ChakraCore, JavaScriptCore, V8, and SpiderMonkey have been extensively tested using existing fuzzers. Finally, we discuss research insights to support researchers and practitioners in the development of new fuzzers for JavaScript engines.

Referências

Lukas Bernhard, Tobias Scharnowski, Moritz Schlögel, Tim Blazytko, and Thorsten Holz. JIT-Picking: Differential fuzzing of JavaScript engines. In ACM Conference on Computer and Communications Security CCS, pages 351–364. ACM, 2022.

Chen Chen, Baojiang Cui, Jinxin Ma, Runpu Wu, Jianchao Guo, and Wenqian Liu. A systematic review of fuzzing techniques. Computers & Security, 75:118–137, 2018. ISSN 0167-4048. DOI: 10.1016/j.cose.2018.02.002. URL [link].

Cristian Daniele, Seyed Behnam Andarzian, and Erik Poll. Fuzzers for stateful systems: Survey and research directions. ACM Comput. Surv., 56(9), April 2024. ISSN 0360-0300. DOI: 10.1145/3648468.

I Putu Arya Dharmaadi, Elias Athanasopoulos, and Fatih Turkmen. Fuzzing frameworks for server-side web applications: a survey. International Journal of Information Security, 24(2):73, 2025.

Tim Disney, Nathan Faubion, David Herman, and Cormac Flanagan. Sweeten your javascript: hygienic macros for ES5. In DLS, pages 35–44. ACM, 2014.

Jueon Eom, Seyeon Jeong, and Taekyoung Kwon. Fuzzing JavaScript interpreters with coverage-guided reinforcement learning for LLM-based mutation. In Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA ’24), pages 1–13, New York, NY, USA, September 2024. ACM. DOI: 10.1145/3650212.3680389.

Google. american fuzzy lop. [link], 2023. Accessed in 08/24/2022.

Samuel Groß, Simon Koch, Lukas Bernhard, Thorsten Holz, and Martin Johns. FUZZILLI: Fuzzing for javascript jit compiler vulnerabilities. In Network and Distributed Systems Security (NDSS) Symposium 2023, pages 10–25, San Diego, CA, USA, 2023.

HyungSeok Han, DongHyeon Oh, and Sang Cha. Codealchemist: Semantics-aware code generation to find vulnerabilities in JavaScript engines. In Network and Distributed System Security Symposium, 01 2019. DOI: 10.14722/ndss.2019.23263.

Christian Holler, Kim Herzig, and Andreas Zeller. Fuzzing with code fragments. In 21st USENIX Security Symposium (USENIX Security 12), pages 445–458, Bellevue, WA, August 2012. USENIX Association. ISBN 978-931971-95-9. URL [link].

Yu Jiang, Jie Liang, Fuchen Ma, Yuanliang Chen, Chijin Zhou, Yuheng Shen, Zhiyong Wu, Jingzhou Fu, Mingzhe Wang, Shanshan Li, and Quan Zhang. When fuzzing meets llms: Challenges and opportunities. In Companion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering, FSE 2024, page 492–496, New York, NY, USA, 2024. Association for Computing Machinery. ISBN 9798400706585. DOI: 10.1145/3663529.3663784.

Zeyan Kang. A review on javascript engine vulnerability mining. In Journal of Physics: Conference Series, volume 1744, page 042197. IOP Publishing, 2021.

Holger M. Kienle. It’s about time to take JavaScript (more) seriously. IEEE Software, 27 (3):60–62, 2010. DOI: 10.1109/MS.2010.76.

Suyoung Lee, HyungSeok Han, Sang Kil Cha, and Sooel Son. Montage: A neural network language Model-Guided JavaScript engine fuzzer. In 29th USENIX Security Symposium (USENIX Security 20), pages 2613–2630. USENIX Association, August 2020. ISBN 978-1-939133-17-5. URL [link].

J. Li, B. Zhao, and C. Zhang. Fuzzing: a survey. Cybersecurity, 1(6), 2018. Igor Lima, Jefferson Silva, Breno Miranda, Gustavo Pinto, and Marcelo d’Amorim. Exposing bugs in JavaScript engines through test transplantation and differential testing. Software Quality Journal, 29(1):129–158, 2021.

Hongyang Lin, Junhu Zhu, Jianshan Peng, and Dixia Zhu. Deity: Finding deep rooted bugs in JavaScript engines. In 2019 IEEE 19th International Conference on Communication Technology (ICCT), pages 1585–1594, 2019. DOI: 10.1109/ICCT46805.2019.8947153.

Sanoop Mallissery and Yu-Sung Wu. Demystify the fuzzing methods: A comprehensive survey. ACM Computing Surveys, 56(3):1–38, 2023.

Tommi Mikkonen and Antero Taivalsaari. Using JavaScript as a real programming language. Technical report, Sun Microsystems, Inc., USA, 2007.

Barton P. Miller, Lars Fredriksen, and Bryan So. An empirical study of the reliability of UNIX utilities. Commun. ACM, 33(12):32–44, 1990.

Mozilla. jsfunfuzz. [link], 2019.

Samuel Ndichu, Sangwook Kim, Seiichi Ozawa, Takeshi Misu, and Kazuo Makishima. A machine learning approach to detection of JavaScript-based attacks using ast features and paragraph vectors. Applied Soft Computing, 84:105721, 2019.

Bruno G Oliveira, Andre T. Endo, and Silvia Vergilio. Using historical information for fuzzing JavaScript engines. In In Proceedings of the 27th International Conference on Enterprise Information Systems (ICEIS), volume 2, pages 59–70, 2025. ISBN 978-989-758-749-8.

Soyeon Park, Wen Xu, Insu Yun, Daehee Jang, and Taesoo Kim. Fuzzing javascript engines with aspect-preserving mutation. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1629–1642, 2020. DOI: 10.1109/SP40000.2020.00067.

Marcus Rodrigues, Breno Guimarães, and Fernando Magno Quintão Pereira. Generation of in-bounds inputs for arrays in memory-unsafe languages. In 2019 IEEE/ACM International Symposium on Code Generation and Optimization (CGO), pages 136–148. IEEE, 2019.

J. Ruderman. Introducing jsfunfuzz. [link], 2007.

Evgeniy Stepanov and Konstantin Serebryany. MemorySanitizer: fast detector of uninitialized memory use in C++. In Proceedings of the 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO), pages 46–55, San Francisco, CA, USA, 2015.

Lili Sun, Chenggang Wu, Zhe Wang, Yan Kang, and Bowen Tang. KOP-Fuzzer: A key-operation-based fuzzer for type confusion bugs in JavaScript engines. In 2022 IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC), pages 757–766, 2022. DOI: 10.1109/COMPSAC54236.2022.00125.

Ye Tian, Xiaojun Qin, and Shuitao Gan. Research on fuzzing technology for JavaScript Engines. In Proceedings of the 5th International Conference on Computer Science and Application Engineering, pages 1–7, 2021.

Spandan Veggalam, Sanjay Rawat, Istvan Haller, and Herbert Bos. Ifuzzer: An evolutionary interpreter fuzzer using genetic programming. In Ioannis Askoxylakis, Sotiris Ioannidis, Sokratis Katsikas, and Catherine Meadows, editors, Computer Security – ESORICS 2016, pages 581–601, Cham, 2016. Springer International Publishing. ISBN 978-3-319-45744-4.

Liam Wachter, Julian Gremminger, Christian Wressnegger, Mathias Payer, and Flavio Toffalini. Dumpling: Fine-grained differential javascript engine fuzzing. In Proceedings of the 2025 Network and Distributed System Security Symposium (NDSS), 2025.

Jie Wang. Characterizing and taming non-deterministic bugs in javascript applications. In 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 1006–1009, 2017. DOI: 10.1109/ASE.2017.8115720.

Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. Skyfire: Data-driven seed generation for fuzzing. In 2017 IEEE Symposium on Security and Privacy (SP), pages 579–594, 2017. DOI: 10.1109/SP.2017.23.

Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. Superion: Grammar-aware greybox fuzzing. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 724–735, 2019. DOI: 10.1109/ICSE.2019.00081.

Junjie Wang, Zhiyi Zhang, Qi An Xin, Shuang Liu, Xiaoning Du, and Junjie Chen. FuzzJIT: Oracle-Enhanced fuzzing for JavaScript engine JIT compiler. In 32nd USENIX Security Symposium (USENIX Security 23), Anaheim, CA, August 2023. USENIX Association. URL [link].

Junjie Wang, Yuhan Ma, Xiaofei Xie, Xiaoning Du, and Xiangwei Zhang. Patchfuzz: Patch fuzzing for javascript engines, 2025. URL [link].

Haoran Xu, Zhiyuan Jiang, Yongjun Wang, Shuhui Fan, Shenglin Xu, Peidai Xie, Shaojing Fu, and Mathias Payer. Fuzzing javascript engines with a graph-based ir. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS ’24, page 3734–3748, New York, NY, USA, 2024a. Association for Computing Machinery. ISBN 9798400706363. DOI: 10.1145/3658644.3690336.

Haoran Xu, Yongjun Wang, Zhiyuan Jiang, Shuhui Fan, Shaojing Fu, and Peidai Xie. Fuzzing javascript engines with a syntax-aware neural program model. Computers and Security, 144:103947, 2024b. ISSN 0167-4048. DOI: 10.1016/j.cose.2024.103947. URL [link].

Zhenhua Yu, Zhengqi Liu, Xuya Cong, Xiaobo Li, and Li Yin. Fuzzing: Progress, challenges, and perspectives. Computers, Materials and Continua, 78(1):1–29, 2024. ISSN 1546-2218. DOI: 10.32604/cmc.2023.042361. URL [link].

Man Zhang and Andrea Arcuri. Open problems in fuzzing RESTful APIs: A comparison of tools. ACM Trans. Softw. Eng. Methodol., 32(6), September 2023. ISSN 1049-331X. DOI: 10.1145/3597205.

Xiaoqi Zhao, Haipeng Qu, Jianliang Xu, Xiaohui Li, Wenjie Lv, and Gai-Ge Wang. A systematic review of fuzzing. Soft Computing, 28(6):5493–5522, 2024.

Xiaogang Zhu, Sheng Wen, Seyit Camtepe, and Yang Xiang. Fuzzing: A survey for roadmap. ACM Comput. Surv., 54(11s), September 2022. ISSN 0360-0300. DOI: 10.1145/3512345.