Detecting Prototype Pollution on TheWeb

Abstract

Prototype pollution is a vulnerability exploiting the inner workings of the JavaScript programming language. Being the most used language in the world, the security risks cover a large body of applications. JavaScript powers both web servers and client-facing websites, making it important to mitigate threats such as prototype pollution. Prior work has made significant strides on the server-side, creating a gap in user-facing applications.

The lack of research on client-side prototype pollution needs to be addressed, as vulnerable applications can be exposed to threats such as cookie stealing or crosssite scripting – all from visiting a malicious link. The goal with this thesis is to mitigate this threat by researching the prevalence of prototype pollution and defining a practical approach for securing web pages on the internet.

While progress has been made on the client-side, we have identified issues with existing approaches, such as limited code coverage, reliance on outdated software, and costly analysis. We resolve these issues by introducing a novel approach for detecting client-side prototype pollution. This is accomplished through complete source code retrieval, utilization of state of the art analysis tools, and readily available means to verify identified vulnerabilities, effectively eliminating any false positives. These steps complement each other to define a reliable approach for detecting prototype pollution vulnerabilities.

We realize our approach by creating a multi-stage framework for detecting prototype pollution in client-side JavaScript. Utilizing web crawling, we obtain all of the source code for a given website, ensuring full code coverage. To analyze and find vulnerable code on the website, we use CodeQL-powered static analysis for the first time in client-side prototype pollution research. The static analysis outputs a number of candidates which may lead to prototype pollution, which are then manually verified in a real-world setting by testing the vulnerability on the target website.

Our key contribution is our novel approach for detecting prototype pollution using our multi-stage approach. Our framework advances the state of the art by showing that static analysis is indeed feasible and more robust for client-side JavaScript compared to previous works. Our evaluation supports this claim by finding and verifying 28 domains vulnerable to prototype pollution. We demonstrate that our approach is viable by a performance evaluation and empirical comparison to the related work.