Zifeng Kang (Johns Hopkins University)

In this talk, we present the experimental experience in the evaluation of ProbetheProto (NDSS’22), the first large-scale measurement study of client-side prototype pollution vulnerabilities. First, we discuss the challenges for deploying ProbetheProto on real-world websites and how we mitigate them in the deployment. We present a breakdown of real-world consequences and defenses found by ProbetheProto. Second, we describe how we compare ProbetheProto with a state-of-the-art detection tool. Specifically, we modify ObjLupAnsys, a Node.js prototype pollution detection tool, to support client-side applications. Results show that ProbetheProto significantly outperforms ObjLupAnsys in two experimental settings. Lastly, we experimentally evaluate the code coverage, the performance overhead, and the True Positive Rate (TPR) of ProbetheProto. We will also discuss our evaluation limitations.

Speaker's biography

Zifeng Kang is a third-year Ph.D. student at Johns Hopkins University. His research mainly focuses on program analysis of Web Security issues.

View More Papers

All things Binary

Dr. Sergey Bratus, DARPA PI and Research Associate Professor at Dartmouth College

Read More

An In-depth Analysis of Duplicated Linux Kernel Bug Reports

Dongliang Mu (Huazhong University of Science and Technology), Yuhang Wu (Pennsylvania State University), Yueqi Chen (Pennsylvania State University), Zhenpeng Lin (Pennsylvania State University), Chensheng Yu (George Washington University), Xinyu Xing (Pennsylvania State University), Gang Wang (University of Illinois at Urbana-Champaign)

Read More

Multi-Certificate Attacks against Proof-of-Elapsed-Time and Their Countermeasures

Huibo Wang (Baidu Security), Guoxing Chen (Shanghai Jiao Tong University), Yinqian Zhang (Southern University of Science and Technology), Zhiqiang Lin (Ohio State University)

Read More