Ten of the sites were among the top 1,000 most visited websites of the year, including Weebly.com, CNET.com and McKinsey.com.
“Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks. And we’ve found that many developers are happy that we help them stay ahead of cybersecurity threats.”
Assistant Professor of Computer Science
“It is only recently that researchers have started to look closely at the pollution of prototypes and realize that it is a matter of great concern,” said cybersecurity expert Yinzhi Cao, assistant professor of computer science at the Johns Hopkins Whiting School of Engineering. “Many members of the developer community may not be aware that pollution vulnerabilities in prototypes can have serious consequences.”
He and his team set out to study this snowball effect using dynamic tampering analysis, a method in which app inputs are tagged with a special “tainted” marker and researchers observe how tainted data propagates through the program. If the marker is still there when the program exits, researchers know that the application is vulnerable to exploitable input attacks that could lead to unplanned action.
“Imagine a very long pipe in a big black box and I want to know if points A and B are connected. If they are, I can put a toxic liquid at point A to attack point B. What we do, it’s dropping a bit of red dye into the water at point A, then observe the color of the water at point B. If I can see that point B is also red, I know that A and B are connected and then we can launch attacks,” Cao said.
Researchers have identified three major ingress attacks that can be caused by prototype pollution: cross-site scripting (XSS), cookie manipulation, and URL manipulation. Such vulnerabilities on public websites provide many opportunities for cybercriminals to hijack passwords and install malware, among other nefarious activities.
Cao says researchers have a responsibility to report vulnerabilities in pollution prototypes to website owners and even recommend the best fix for their code. Thanks to Cao’s team sounding the alarm, so far 293 vulnerabilities have already been patched by the developers.
“Organizations don’t even know these vulnerabilities exist. Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks. And we’ve found that many developers are happy that we’re helping them stay ahead of the game. on cybersecurity threats,” Cao said. .
Computer science graduate students Zifeng Kang and Song Li contributed to the research. Team members will present their paper, “Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites,” at the Network & Distributed System Security Symposium April 24-28 in San Diego.