IT scientist identifies JavaScript vulnerability in thousands of websites

Millions of developers use JavaScript to build websites and mobile apps, making it one of the most popular programming languages ​​in the world. But according to Johns Hopkins researchers, thousands of JavaScript websites are vulnerable to a security flaw that could lead to manipulation of the site’s URL or theft of a user’s profile information.

Known as prototype pollution, the flaw allows attackers to modify or “pollute” a prototype, which is a built-in property of a JavaScript object. An attacker who manages to modify a JavaScript object prototype can perform various malicious actions.

With a framework they call ProbeTheProto, researchers at the Johns Hopkins Information Security Institute analyzed one million websites running on JavaScript and found that more than 2,700 websites, including some of the most visited in the world, had multiple loopholes that could expose them to prototype pollution. .

Ten of the sites were among the top 1,000 most visited websites of the year, including, and

“Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks. And we’ve found that many developers are happy that we help them stay ahead of cybersecurity threats.”

Yinzhi Cao

Assistant Professor of Computer Science

“It is only recently that researchers have started to look closely at the pollution of prototypes and realize that it is a matter of great concern,” said cybersecurity expert Yinzhi Cao, assistant professor of computer science at the Johns Hopkins Whiting School of Engineering. “Many members of the developer community may not be aware that pollution vulnerabilities in prototypes can have serious consequences.”

In JavaScript, an object is a collection of related data or functionality; for example, a user account object can contain data such as usernames, passwords, and email addresses. Once an attacker makes a change to an object prototype, it will affect how the object works throughout the application and open the door to more severe vulnerabilities, Cao adds.

He and his team set out to study this snowball effect using dynamic tampering analysis, a method in which app inputs are tagged with a special “tainted” marker and researchers observe how tainted data propagates through the program. If the marker is still there when the program exits, researchers know that the application is vulnerable to exploitable input attacks that could lead to unplanned action.

“Imagine a very long pipe in a big black box and I want to know if points A and B are connected. If they are, I can put a toxic liquid at point A to attack point B. What we do, it’s dropping a bit of red dye into the water at point A, then observe the color of the water at point B. If I can see that point B is also red, I know that A and B are connected and then we can launch attacks,” Cao said.

Researchers have identified three major ingress attacks that can be caused by prototype pollution: cross-site scripting (XSS), cookie manipulation, and URL manipulation. Such vulnerabilities on public websites provide many opportunities for cybercriminals to hijack passwords and install malware, among other nefarious activities.

Cao says researchers have a responsibility to report vulnerabilities in pollution prototypes to website owners and even recommend the best fix for their code. Thanks to Cao’s team sounding the alarm, so far 293 vulnerabilities have already been patched by the developers.

“Organizations don’t even know these vulnerabilities exist. Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks. And we’ve found that many developers are happy that we’re helping them stay ahead of the game. on cybersecurity threats,” Cao said. .

Computer science graduate students Zifeng Kang and Song Li contributed to the research. Team members will present their paper, “Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites,” at the Network & Distributed System Security Symposium April 24-28 in San Diego.

About Madeline Powers

Check Also

NDP website slams Senator Young as ‘two-faced Todd’ | Policy

A new campaign website launched Tuesday by the Indiana Democratic Party warns that U.S. Sen. …