Current Location: Home » News & Events » Events » Content

News & Events


计算机学院系列讲座菁英论坛第10期——Prototype Pollution and Beyond: An Existential, Emerging Threat to the World Wide Web


报告题目(Title)Prototype Pollution and Beyond: An Existential, Emerging Threat to the World Wide Web


时间(Date & Time)2023.6.23     10-11am


地点(Location)理科一号楼1126(燕园校区)Room 1126, Science Building #1 (Yanyuan)

主讲人(Speaker)Yinzhi Cao

邀请人(Host)Xin Jin




Prototype pollution is a relatively-new type of vulnerability specific to prototype-based languages, such as JavaScript, which allows an adversary to pollute a base object’s property, leading to further consequences such as Cross-site Scripting (XSS) and session fixation. In this talk, I am presenting our research works in the past five years, which detect and exploit not only prototype pollution vulnerabilities but also other related JavaScript vulnerabilities across server- and client-side applications.  I will start from our ESEC/FSE’2021 paper, which is flow- and context-sensitive JavaScript static analysis with hybrid branch-sensitivity and points-to information to generate a novel graph structure, called Object Property Graph (OPG), using abstract interpretation.  Then, I will present our improved graph, called Object Dependence Graph (USENIX’2022), in detecting a wide range of JavaScript vulnerabilities and our dynamic analysis (NDSS’2022) in exploiting prototype pollution vulnerabilities in real-world websites.  Lastly, I will introduce our recent progress (IEEE S&P’2023 and CCS’2023) in scaling JavaScript abstract interpretation.  Our JavaScript works discovered over 450 Node.js vulnerabilities with 102 CVE identifiers, 2,738 vulnerable websites, and 43 vulnerable browser extensions in total over the years.



Dr. Yinzhi Cao is an assistant professor in Computer Science at Johns Hopkins University. His research mainly focuses on the security and privacy of the Web, smartphones, and machine learning using program analysis techniques. His past work was widely featured by over 30 media outlets, such as NSF Science Now (Episode 38), CCTV News, IEEE Spectrum, Yahoo! News, and ScienceDaily. He received three distinguished paper awards at USENIX Security'2021, SOSP’17, and IEEE CNS’15 respectively, and one best paper nomination at CCS’20.  He is a recipient of the DARPA Young Faculty Award (YFA) 2022, the Amazon Research Award 2021 and 2017, and NSF CAREER Award 2021.