Zifeng Kang (Johns Hopkins University)

In this talk, we present the experimental experience in the evaluation of ProbetheProto (NDSS’22), the first large-scale measurement study of client-side prototype pollution vulnerabilities. First, we discuss the challenges for deploying ProbetheProto on real-world websites and how we mitigate them in the deployment. We present a breakdown of real-world consequences and defenses found by ProbetheProto. Second, we describe how we compare ProbetheProto with a state-of-the-art detection tool. Specifically, we modify ObjLupAnsys, a Node.js prototype pollution detection tool, to support client-side applications. Results show that ProbetheProto significantly outperforms ObjLupAnsys in two experimental settings. Lastly, we experimentally evaluate the code coverage, the performance overhead, and the True Positive Rate (TPR) of ProbetheProto. We will also discuss our evaluation limitations.

Speaker's biography

Zifeng Kang is a third-year Ph.D. student at Johns Hopkins University. His research mainly focuses on program analysis of Web Security issues.

View More Papers

NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing

Shisong Qin (Tsinghua University), Fan Hu (State Key Laboratory of Mathematical Engineering and Advanced Computing), Bodong Zhao (Tsinghua University), Tingting Yin (Tsinghua University), Chao Zhang (Tsinghua University)

Read More

Detecting Obfuscated Function Clones in Binaries using Machine Learning

Michael Pucher (University of Vienna), Christian Kudera (SBA Research), Georg Merzdovnik (SBA Research)

Read More

“So I Sold My Soul“: Effects of Dark Patterns...

Oksana Kulyk (ITU Copenhagen), Willard Rafnsson (IT University of Copenhagen), Ida Marie Borberg, Rene Hougard Pedersen

Read More