Ten of the sites were among the top 1,000 most visited websites of the year, including Weebly.com, CNET.com and McKinsey.com.
“Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks. And we’ve found that many developers are happy that we help them stay ahead of cybersecurity threats.”
Assistant Professor of Computer Science
“It was only recently that researchers started looking closely at pollution from prototypes and realized it was a matter of great concern,” said a cybersecurity expert. Yinzhi Cao, assistant professor of computer science at the Johns Hopkins Whiting School of Engineering. “Many members of the developer community may not be aware that pollution vulnerabilities in prototypes can have serious consequences.”
He and his team have begun to study this snowball effect with the dynamic analysis of changes, a method in which the application entries are labeled with a special marker “tainted” and researchers observe how data marred propagate in the program. If the marker is still there at the exit of the program, researchers know that the application is vulnerable to entry exploitable attacks that could lead to an unplanned action.
“Imagine a very long pipe in a big black box and I want to know if points A and B are connected. If they are, I can put a toxic liquid at point A to attack point B. What we do, it’s dropping a bit of red dye into the water at point A, then observe the color of the water at point B. If I can see that point B is also red, I know that A and B are connected and then we can launch attacks,” Cao said.
Researchers have identified three major ingress attacks that can be caused by prototype pollution: cross-site scripting (XSS), cookie manipulation, and URL manipulation. Such vulnerabilities on public websites provide many opportunities for cybercriminals to hijack passwords and install malware, among other nefarious activities.
Cao says researchers have a responsibility to report vulnerabilities in pollution prototypes to website owners and even recommend the best fix for their code. Thanks to Cao’s team sounding the alarm, so far 293 vulnerabilities have already been patched by the developers.
“Organizations don’t even know these vulnerabilities exist. Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks. And we’ve found that many developers are happy that we’re helping them stay ahead of the game. on cybersecurity threats,” Cao said. .
Computer science graduate students Zifeng Kang and Song Li contributed to the research. Team members will present their paper, “Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites,” at the Network & Distributed System Security Symposium April 24-28 in San Diego.