Zifeng Kang (Johns Hopkins University), Song Li (Johns Hopkins University), Yinzhi Cao (Johns Hopkins University)

Prototype pollution is a relatively new type of JavaScript vulnerabilities, which allows an adversary
to inject a property into a prototypical object, such as Object.prototype. The injected property may be used later in other sensitive functions like innerHTML, leading to Cross- site Scripting (XSS), or document.cookie, leading to cookie manipulations. Prior works proposed to detect prototype pollution in Node.js application using static analysis. However, it still remains unclear how prevalent prototype pollution exists in client-side websites, let alone what consequences (e.g., XSS and cookie manipulations) prototype pollution could lead to.

In this paper, we propose ProbeTheProto, the first large-scale measurement study of clients-side prototype pollution among one million real-world websites. PROBETHEPROTO consists of two important parts: dynamic taint analysis that tracks so-called joint taint flows connecting property lookups and assignments, and input/exploit generation that guides joint taint flows into final sinks related to further consequences. ProbeTheProto answers the questions of whether a prototypical object is controllable, whether and what properties can be manipulated, and whether the injected value leads to further consequences.

We implemented a prototype of ProbeTheProto and evaluated it on one million websites. The results reveal that 2,738 real-world websites—including ten among the top 1,000—are vulnerable to 2,917 zero-day, exploitable prototype pollution vulnerabilities. We verify that 48 vulnerabilities further lead to XSS, 736 to cookie manipulations, and 830 to URL manipulations. We reported all the findings to website maintainers and so far 185 vulnerable websites have already been patched.

View More Papers

Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection

Zu-Ming Jiang (Tsinghua University), Jia-Ju Bai (Tsinghua University), Kangjie Lu (University of Minnesota), Shi-Min Hu (Tsinghua University)

Read More

Demo #10: Hijacking Connected Vehicle Alexa Skills

Wenbo Ding (University at Buffalo), Long Cheng (Clemson University), Xianghang Mi (University of Science and Technology of China), Ziming Zhao (University at Buffalo) and Hongxin Hu (University at Buffalo)

Read More

VISAS-Detecting GPS spoofing attacks against drones by analyzing camera's...

Barak Davidovich (Ben-Gurion University of the Negev), Ben Nassi (Ben-Gurion University of the Negev) and Yuval Elovici (Ben-Gurion University of the Negev)

Read More

Demo #5: Disclosing the Pringles Syndrome in Tesla FSD...

Zhisheng Hu (Baidu), Shengjian Guo (Baidu) and Kang Li (Baidu)

Read More