Zifeng Kang (Johns Hopkins University)

In this talk, we present the experimental experience in the evaluation of ProbetheProto (NDSS’22), the first large-scale measurement study of client-side prototype pollution vulnerabilities. First, we discuss the challenges for deploying ProbetheProto on real-world websites and how we mitigate them in the deployment. We present a breakdown of real-world consequences and defenses found by ProbetheProto. Second, we describe how we compare ProbetheProto with a state-of-the-art detection tool. Specifically, we modify ObjLupAnsys, a Node.js prototype pollution detection tool, to support client-side applications. Results show that ProbetheProto significantly outperforms ObjLupAnsys in two experimental settings. Lastly, we experimentally evaluate the code coverage, the performance overhead, and the True Positive Rate (TPR) of ProbetheProto. We will also discuss our evaluation limitations.

Speaker's biography

Zifeng Kang is a third-year Ph.D. student at Johns Hopkins University. His research mainly focuses on program analysis of Web Security issues.

View More Papers

Tetrad: Actively Secure 4PC for Secure Training and Inference

Nishat Koti (IISc Bangalore), Arpita Patra (IISc Bangalore), Rahul Rachuri (Aarhus University, Denmark), Ajith Suresh (IISc, Bangalore)

Read More

LogicMEM: Automatic Profile Generation for Binary-Only Memory Forensics via...

Zhenxiao Qi (UC Riverside), Yu Qu (UC Riverside), Heng Yin (UC Riverside)

Read More

F-PKI: Enabling Innovation and Trust Flexibility in the HTTPS...

Laurent Chuat (ETH Zurich), Cyrill Krähenbühl (ETH Zürich), Prateek Mittal (Princeton University), Adrian Perrig (ETH Zurich)

Read More