Zifeng Kang (Johns Hopkins University), Song Li (Johns Hopkins University), Yinzhi Cao (Johns Hopkins University)

Prototype pollution is a relatively new type of JavaScript vulnerabilities, which allows an adversary
to inject a property into a prototypical object, such as Object.prototype. The injected property may be used later in other sensitive functions like innerHTML, leading to Cross- site Scripting (XSS), or document.cookie, leading to cookie manipulations. Prior works proposed to detect prototype pollution in Node.js application using static analysis. However, it still remains unclear how prevalent prototype pollution exists in client-side websites, let alone what consequences (e.g., XSS and cookie manipulations) prototype pollution could lead to.

In this paper, we propose ProbeTheProto, the first large-scale measurement study of clients-side prototype pollution among one million real-world websites. PROBETHEPROTO consists of two important parts: dynamic taint analysis that tracks so-called joint taint flows connecting property lookups and assignments, and input/exploit generation that guides joint taint flows into final sinks related to further consequences. ProbeTheProto answers the questions of whether a prototypical object is controllable, whether and what properties can be manipulated, and whether the injected value leads to further consequences.

We implemented a prototype of ProbeTheProto and evaluated it on one million websites. The results reveal that 2,738 real-world websites—including ten among the top 1,000—are vulnerable to 2,917 zero-day, exploitable prototype pollution vulnerabilities. We verify that 48 vulnerabilities further lead to XSS, 736 to cookie manipulations, and 830 to URL manipulations. We reported all the findings to website maintainers and so far 185 vulnerable websites have already been patched.

View More Papers

Let’s Authenticate: Automated Certificates for User Authentication

James Conners (Brigham Young University), Corey Devenport (Brigham Young University), Stephen Derbidge (Brigham Young University), Natalie Farnsworth (Brigham Young University), Kyler Gates (Brigham Young University), Stephen Lambert (Brigham Young University), Christopher McClain (Brigham Young University), Parker Nichols (Brigham Young University), Daniel Zappala (Brigham Young University)

Read More

GhostTalk: Interactive Attack on Smartphone Voice System Through Power...

Yuanda Wang (Michigan State University), Hanqing Guo (Michigan State University), Qiben Yan (Michigan State University)

Read More

Demo #2: Policy-based Discovery and Patching of Logic Bugs...

Hyungsub Kim (Purdue University), Muslum Ozgur Ozmen (Purdue University), Antonio Bianchi (Purdue University), Z. Berkay Celik (Purdue University) and Dongyan Xu (Purdue University)

Read More

PASS: A System-Driven Evaluation Platform for Autonomous Driving Safety...

Zhisheng Hu (Baidu Security), Junjie Shen (UC Irvine), Shengjian Guo (Baidu Security), Xinyang Zhang (Baidu Security), Zhenyu Zhong (Baidu Security), Qi Alfred Chen (UC Irvine) and Kang Li (Baidu Security)

Read More