Search Icon
Register

How is Proto being Probed? The Experimental Aspects behind the Large-scale Measurement of Client-Side Prototype Pollution Vulnerabilities

Zifeng Kang (Johns Hopkins University)

In this talk, we present the experimental experience in the evaluation of ProbetheProto (NDSS’22), the first large-scale measurement study of client-side prototype pollution vulnerabilities. First, we discuss the challenges for deploying ProbetheProto on real-world websites and how we mitigate them in the deployment. We present a breakdown of real-world consequences and defenses found by ProbetheProto. Second, we describe how we compare ProbetheProto with a state-of-the-art detection tool. Specifically, we modify ObjLupAnsys, a Node.js prototype pollution detection tool, to support client-side applications. Results show that ProbetheProto significantly outperforms ObjLupAnsys in two experimental settings. Lastly, we experimentally evaluate the code coverage, the performance overhead, and the True Positive Rate (TPR) of ProbetheProto. We will also discuss our evaluation limitations.

Speaker's biography

Zifeng Kang is a third-year Ph.D. student at Johns Hopkins University. His research mainly focuses on program analysis of Web Security issues.

View More Papers

coucouArray ( [post_type] => ndss-paper [post_status] => publish [posts_per_page] => 4 [orderby] => rand [tax_query] => Array ( [0] => Array ( [taxonomy] => category [field] => id [terms] => Array ( [0] => 42 [1] => 55 ) ) ) [post__not_in] => Array ( [0] => 8406 ) )

EqualNet: A Secure and Practical Defense for Long-term Network...

Jinwoo Kim (KAIST), Eduard Marin (Telefonica Research (Spain)), Mauro Conti (University of Padua), Seungwon Shin (KAIST)

Read More

BinaryInferno: Experiment Design and Evaluation Considerations When Reverse Engineering...

Jared Chandler (Tufts University)

Read More

CFInsight: A Comprehensive Metric for CFI Policies

Tommaso Frassetto (Technical University of Darmstadt), Patrick Jauernig (Technical University of Darmstadt), David Koisser (Technical University of Darmstadt), Ahmad-Reza Sadeghi (Technical University of Darmstadt)

Read More

V-Range: Enabling Secure Ranging in 5G Wireless Networks

Mridula Singh (CISPA - Helmholtz Center for Information Security), Marc Roeschlin (ETH Zurich), Aanjhan Ranganathan (Northeastern University), Srdjan Capkun (ETH Zurich)

Read More

Privacy Starts with UI: Privacy Patterns and Designer Perspectives in UI/UX Practice

Anxhela Maloku (Technical University of Munich), Alexandra Klymenko (Technical University of Munich), Stephen Meisenbacher (Technical University of Munich), Florian Matthes (Technical University of Munich)

Vision: Profiling Human Attackers: Personality and Behavioral Patterns in Deceptive Multi-Stage CTF Challenges

Khalid Alasiri (School of Computing and Augmented Intelligence Arizona State University), Rakibul Hasan (School of Computing and Augmented Intelligence Arizona State University)

From Underground to Mainstream Marketplaces: Measuring AI-Enabled NSFW Deepfakes on Fiverr

Mohamed Moustafa Dawoud (University of California, Santa Cruz), Alejandro Cuevas (Princeton University), Ram Sundara Raman (University of California, Santa Cruz)