‘Organizations don’t even know these vulnerabilities exist. Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks and we’ve found that many developers are happy that we are helping them stay ahead of cybersecurity threats,’ said Yinzhi Cao, Assistant Professor of Computer Science in the John Hopkins Whiting School of Engineering.
‘Only recently have researchers started looking closely at prototype pollution and realizing it’s a matter of great concern. Many in the developer community may not be aware that prototype pollution vulnerabilities can have severe consequences.’
Cao and his research team studied this effect using dynamic taint analysis— a method in which the applications inputs are labeled with a ‘tainted’ marker. They observed how the tainted data moves across the program. If the marker is still present at the program’s output, the researchers know that the application is susceptible to input attacks.
‘Imagine a very long pipe in a big black box and I want to know whether Points A and B are connected. If they are, I can put some toxic liquid at Point A to attack Point B. What we do is to drop a bit of red dye in the water at Point A and then observe the water color at Point B. If I can see Point B is also red, I know A and B are connected and then we can launch attacks,’ said Cao.
The three major input attacks that prototype pollution can cause were identified by the researchers: URL manipulation, cross-site scripting (XSS) and cookie manipulation. These susceptibilities allow attacks steal passwords and install virus.
Cao believes researchers have a responsibility to report prototype pollution susceptibilities to owners of websites and possibly recommend a good patch for their code. So far, 293 susceptibilities have been fixed by developers.
By Marvellous Iwendi.