Zifeng Kang (Johns Hopkins University), Song Li (Johns Hopkins University), Yinzhi Cao (Johns Hopkins University)
Prototype pollution is a relatively new type of JavaScript vulnerabilities, which allows an adversary
to inject a property into a prototypical object, such as Object.prototype. The injected property may be used later in other sensitive functions like innerHTML, leading to Cross- site Scripting (XSS), or document.cookie, leading to cookie manipulations. Prior works proposed to detect prototype pollution in Node.js application using static analysis. However, it still remains unclear how prevalent prototype pollution exists in client-side websites, let alone what consequences (e.g., XSS and cookie manipulations) prototype pollution could lead to.
In this paper, we propose ProbeTheProto, the first large-scale measurement study of clients-side prototype pollution among one million real-world websites. PROBETHEPROTO consists of two important parts: dynamic taint analysis that tracks so-called joint taint flows connecting property lookups and assignments, and input/exploit generation that guides joint taint flows into final sinks related to further consequences. ProbeTheProto answers the questions of whether a prototypical object is controllable, whether and what properties can be manipulated, and whether the injected value leads to further consequences.
We implemented a prototype of ProbeTheProto and evaluated it on one million websites. The results reveal that 2,738 real-world websites—including ten among the top 1,000—are vulnerable to 2,917 zero-day, exploitable prototype pollution vulnerabilities. We verify that 48 vulnerabilities further lead to XSS, 736 to cookie manipulations, and 830 to URL manipulations. We reported all the findings to website maintainers and so far 185 vulnerable websites have already been patched.