Zifeng Kang (Johns Hopkins University), Song Li (Johns Hopkins University), Yinzhi Cao (Johns Hopkins University)

Prototype pollution is a relatively new type of JavaScript vulnerabilities, which allows an adversary
to inject a property into a prototypical object, such as Object.prototype. The injected property may be used later in other sensitive functions like innerHTML, leading to Cross- site Scripting (XSS), or document.cookie, leading to cookie manipulations. Prior works proposed to detect prototype pollution in Node.js application using static analysis. However, it still remains unclear how prevalent prototype pollution exists in client-side websites, let alone what consequences (e.g., XSS and cookie manipulations) prototype pollution could lead to.

In this paper, we propose ProbeTheProto, the first large-scale measurement study of clients-side prototype pollution among one million real-world websites. PROBETHEPROTO consists of two important parts: dynamic taint analysis that tracks so-called joint taint flows connecting property lookups and assignments, and input/exploit generation that guides joint taint flows into final sinks related to further consequences. ProbeTheProto answers the questions of whether a prototypical object is controllable, whether and what properties can be manipulated, and whether the injected value leads to further consequences.

We implemented a prototype of ProbeTheProto and evaluated it on one million websites. The results reveal that 2,738 real-world websites—including ten among the top 1,000—are vulnerable to 2,917 zero-day, exploitable prototype pollution vulnerabilities. We verify that 48 vulnerabilities further lead to XSS, 736 to cookie manipulations, and 830 to URL manipulations. We reported all the findings to website maintainers and so far 185 vulnerable websites have already been patched.

View More Papers

Building Embedded Systems Like It’s 1996

Ruotong Yu (Stevens Institute of Technology, University of Utah), Francesca Del Nin (University of Padua), Yuchen Zhang (Stevens Institute of Technology), Shan Huang (Stevens Institute of Technology), Pallavi Kaliyar (Norwegian University of Science and Technology), Sarah Zakto (Cyber Independent Testing Lab), Mauro Conti (University of Padua, Delft University of Technology), Georgios Portokalidis (Stevens Institute of…

Read More

Progressive Scrutiny: Incremental Detection of UBI bugs in the...

Yizhuo Zhai (University of California, Riverside), Yu Hao (University of California, Riverside), Zheng Zhang (University of California, Riverside), Weiteng Chen (University of California, Riverside), Guoren Li (University of California, Riverside), Zhiyun Qian (University of California, Riverside), Chengyu Song (University of California, Riverside), Manu Sridharan (University of California, Riverside), Srikanth V. Krishnamurthy (University of California, Riverside),…

Read More

SoK: A Proposal for Incorporating Gamified Cybersecurity Awareness in...

June De La Cruz (INSPIRIT Lab, University of Denver), Sanchari Das (INSPIRIT Lab, University of Denver)

Read More

Above and Beyond: Organizational Efforts to Complement U.S. Digital...

Rock Stevens (University of Maryland), Faris Bugra Kokulu (Arizona State University), Adam Doupé (Arizona State University), Michelle L. Mazurek (University of Maryland)

Read More