IT scientist identifies JavaScript vulnerability in thousands of websites

IT scientist identifies JavaScript vulnerability in thousands of websites

Millions of developers use JavaScript to build websites and mobile apps, making it one of the most popular programming languages ​​in the world. But according to Johns Hopkins researchers, thousands of JavaScript websites are vulnerable to a security flaw that could lead to manipulation of the site’s URL or theft of a user’s profile information.

Known as prototype pollution, the flaw allows attackers to modify or “pollute” a prototype, which is a built-in property of a JavaScript object. An attacker who manages to modify a JavaScript object prototype can perform various malicious actions.

With a frame they call ProbeTheProtoresearchers from Johns Hopkins Institute for Information Security analyzed a million websites running on JavaScript and found that more than 2,700 websites-some of them the most visited in the world- had multiple defects that could expose them to prototype pollution.

Ten of the sites were among the top 1,000 most visited websites of the year, including, and

“Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks. And we’ve found that many developers are happy that we help them stay ahead of cybersecurity threats.”

Yinzhi Cao

Assistant Professor of Computer Science

“It was only recently that researchers started looking closely at pollution from prototypes and realized it was a matter of great concern,” said a cybersecurity expert. Yinzhi Cao, assistant professor of computer science at the Johns Hopkins Whiting School of Engineering. “Many members of the developer community may not be aware that pollution vulnerabilities in prototypes can have serious consequences.”

In JavaScript, an object is a collection of related data or functionality; for example, a user account object can contain data such as usernames, passwords, and email addresses. Once an attacker makes a change to an object prototype, it will affect how the object works throughout the application and open the door to more severe vulnerabilities, Cao adds.

He and his team have begun to study this snowball effect with the dynamic analysis of changes, a method in which the application entries are labeled with a special marker “tainted” and researchers observe how data marred propagate in the program. If the marker is still there at the exit of the program, researchers know that the application is vulnerable to entry exploitable attacks that could lead to an unplanned action.

“Imagine a very long pipe in a big black box and I want to know if points A and B are connected. If they are, I can put a toxic liquid at point A to attack point B. What we do, it’s dropping a bit of red dye into the water at point A, then observe the color of the water at point B. If I can see that point B is also red, I know that A and B are connected and then we can launch attacks,” Cao said.

Researchers have identified three major ingress attacks that can be caused by prototype pollution: cross-site scripting (XSS), cookie manipulation, and URL manipulation. Such vulnerabilities on public websites provide many opportunities for cybercriminals to hijack passwords and install malware, among other nefarious activities.

Cao says researchers have a responsibility to report vulnerabilities in pollution prototypes to website owners and even recommend the best fix for their code. Thanks to Cao’s team sounding the alarm, so far 293 vulnerabilities have already been patched by the developers.

“Organizations don’t even know these vulnerabilities exist. Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks. And we’ve found that many developers are happy that we’re helping them stay ahead of the game. on cybersecurity threats,” Cao said. .

Computer science graduate students Zifeng Kang and Song Li contributed to the research. Team members will present their paper, “Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites,” at the Network & Distributed System Security Symposium April 24-28 in San Diego.