{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,9]],"date-time":"2026-07-09T15:22:25Z","timestamp":1783610545046,"version":"3.55.0"},"publisher-location":"New York, NY, USA","reference-count":54,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,8,18]],"date-time":"2021-08-18T00:00:00Z","timestamp":1629244800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["2046361"],"award-info":[{"award-number":["2046361"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"name":"DARPA","award":["FA875019C0006"],"award-info":[{"award-number":["FA875019C0006"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,8,20]]},"DOI":"10.1145\/3468264.3468542","type":"proceedings-article","created":{"date-parts":[[2021,8,19]],"date-time":"2021-08-19T01:44:18Z","timestamp":1629337458000},"page":"268-279","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":41,"title":["Detecting Node.js prototype pollution vulnerabilities via object lookup analysis"],"prefix":"10.1145","author":[{"given":"Song","family":"Li","sequence":"first","affiliation":[{"name":"Johns Hopkins University, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mingqing","family":"Kang","sequence":"additional","affiliation":[{"name":"Johns Hopkins University, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jianwei","family":"Hou","sequence":"additional","affiliation":[{"name":"Johns Hopkins University, USA \/ Renmin University of China, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yinzhi","family":"Cao","sequence":"additional","affiliation":[{"name":"Johns Hopkins University, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2021,8,18]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n.d.]. Brave PageGraph. https:\/\/github.com\/brave\/brave-browser\/wiki\/PageGraph  [n.d.]. Brave PageGraph. https:\/\/github.com\/brave\/brave-browser\/wiki\/PageGraph"},{"key":"e_1_3_2_1_2_1","unstructured":"[n.d.]. Istanbul\u2019s state of the art command line interface. https:\/\/www.npmjs.com\/package\/nyc  [n.d.]. Istanbul\u2019s state of the art command line interface. https:\/\/www.npmjs.com\/package\/nyc"},{"key":"e_1_3_2_1_3_1","unstructured":"[n.d.]. Node simple OData server. https:\/\/github.com\/pofider\/node-simple-odata-server  [n.d.]. Node simple OData server. https:\/\/github.com\/pofider\/node-simple-odata-server"},{"key":"e_1_3_2_1_4_1","unstructured":"[n.d.]. Parser utility to generate ASTs from PHP source code suitable to be processed by Joern. https:\/\/github.com\/malteskoruppa\/phpjoern  [n.d.]. Parser utility to generate ASTs from PHP source code suitable to be processed by Joern. https:\/\/github.com\/malteskoruppa\/phpjoern"},{"key":"e_1_3_2_1_5_1","unstructured":"[n.d.]. SES. https:\/\/github.com\/tc39\/proposal-ses  [n.d.]. SES. https:\/\/github.com\/tc39\/proposal-ses"},{"key":"e_1_3_2_1_6_1","unstructured":"[n.d.]. Simple flexible fun JavaScript test framework for Node.js and The Browser. https:\/\/www.npmjs.com\/package\/mocha  [n.d.]. Simple flexible fun JavaScript test framework for Node.js and The Browser. https:\/\/www.npmjs.com\/package\/mocha"},{"key":"e_1_3_2_1_7_1","unstructured":"Olivier Arteau. 2018. Prototype Pollution Attack in NodeJS Application. NorthSec.  Olivier Arteau. 2018. Prototype Pollution Attack in NodeJS Application. NorthSec."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594299"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"crossref","unstructured":"Michael Backes Konrad Rieck Malte Skoruppa Ben Stock and Fabian Yamaguchi. 2017. Efficient and flexible discovery of PHP application vulnerabilities. In 2017 IEEE european symposium on security and privacy (EuroS&P). 334\u2013349.  Michael Backes Konrad Rieck Malte Skoruppa Ben Stock and Fabian Yamaguchi. 2017. Efficient and flexible discovery of PHP application vulnerabilities. In 2017 IEEE european symposium on security and privacy (EuroS&P). 334\u2013349.","DOI":"10.1109\/EuroSP.2017.14"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.68"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866387"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2414456.2414460"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664256"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"crossref","unstructured":"Yinzhi Cao Vaibhav Rastogi Zhichun Li Yan Chen and Alex Moshchuk. 2013. Redefining Web Browser Principals with a Configurable Origin Policy. In DSN.  Yinzhi Cao Vaibhav Rastogi Zhichun Li Yan Chen and Alex Moshchuk. 2013. Redefining Web Browser Principals with a Configurable Origin Policy. In DSN.","DOI":"10.1109\/DSN.2013.6575317"},{"key":"e_1_3_2_1_15_1","volume-title":"International Conference on Security and Privacy in Communication Networks. 582\u2013601","author":"Cao Yinzhi","year":"2014","unstructured":"Yinzhi Cao , Chao Yang , Vaibhav Rastogi , Yan Chen , and Guofei Gu . 2014 . Abusing browser address bar for fun and profit-an empirical investigation of add-on cross site scripting attacks . In International Conference on Security and Privacy in Communication Networks. 582\u2013601 . Yinzhi Cao, Chao Yang, Vaibhav Rastogi, Yan Chen, and Guofei Gu. 2014. Abusing browser address bar for fun and profit-an empirical investigation of add-on cross site scripting attacks. In International Conference on Security and Privacy in Communication Networks. 582\u2013601."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN48063.2020.00026"},{"key":"e_1_3_2_1_17_1","volume-title":"27th $USENIX$ Security Symposium ($USENIX$ Security 18). 343\u2013359.","author":"Davis James C","unstructured":"James C Davis , Eric R Williamson , and Dongyoon Lee . 2018. A sense of time for JavaScript and Node.js: first-class timeouts as a cure for event handler poisoning . In 27th $USENIX$ Security Symposium ($USENIX$ Security 18). 343\u2013359. James C Davis, Eric R Williamson, and Dongyoon Lee. 2018. A sense of time for JavaScript and Node.js: first-class timeouts as a cure for event handler poisoning. In 27th $USENIX$ Security Symposium ($USENIX$ Security 18). 343\u2013359."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3345656"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359813"},{"key":"e_1_3_2_1_20_1","unstructured":"Google. [n.d.]. Google Caja. http:\/\/code.google.com\/p\/google-caja\/  Google. [n.d.]. Google Caja. http:\/\/code.google.com\/p\/google-caja\/"},{"key":"e_1_3_2_1_21_1","volume-title":"GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In USENIX Security.","author":"Guarnieri Salvatore","year":"2009","unstructured":"Salvatore Guarnieri and Benjamin Livshits . 2009 . GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In USENIX Security. Salvatore Guarnieri and Benjamin Livshits. 2009. GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In USENIX Security."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2001420.2001442"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2017.15"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00005"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-03237-0_17"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.29"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635904"},{"key":"e_1_3_2_1_28_1","volume-title":"Ho Kyun Oh, Beom Jin Lee, Si Woo Mun, Jeong Hoon Shin, and Kyounggon Kim.","author":"Kim Hee Yeon","year":"2021","unstructured":"Hee Yeon Kim , Ji Hoon Kim , Ho Kyun Oh, Beom Jin Lee, Si Woo Mun, Jeong Hoon Shin, and Kyounggon Kim. 2021 . DAPP: automatic detection and analysis of prototype pollution vulnerability in Node. js modules. International Journal of Information Security , 1\u201323. Hee Yeon Kim, Ji Hoon Kim, Ho Kyun Oh, Beom Jin Lee, Si Woo Mun, Jeong Hoon Shin, and Kyounggon Kim. 2021. DAPP: automatic detection and analysis of prototype pollution vulnerability in Node. js modules. International Journal of Information Security, 1\u201323."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516703"},{"key":"e_1_3_2_1_30_1","volume-title":"24th $USENIX$ Security Symposium ($USENIX$ Security 15). 723\u2013735.","author":"Lekies Sebastian","unstructured":"Sebastian Lekies , Ben Stock , Martin Wentzel , and Martin Johns . 2015. The unexpected dangers of dynamic javascript . In 24th $USENIX$ Security Symposium ($USENIX$ Security 15). 723\u2013735. Sebastian Lekies, Ben Stock, Martin Wentzel, and Martin Johns. 2015. The unexpected dangers of dynamic javascript. In 24th $USENIX$ Security Symposium ($USENIX$ Security 15). 723\u2013735."},{"key":"e_1_3_2_1_31_1","unstructured":"V Benjamin Livshits and Monica S Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis.. In USENIX Security.  V Benjamin Livshits and Monica S Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis.. In USENIX Security."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/2858965.2814272"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-89330-1_22"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2015.2457411"},{"key":"e_1_3_2_1_35_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium.","author":"Nadji Y.","unstructured":"Y. Nadji , P. Saxena , and D. Song . 2009. Document structure integrity: A robust basis for cross-site scripting defense . In Proceedings of the Network and Distributed System Security Symposium. Y. Nadji, P. Saxena, and D. Song. 2009. Document structure integrity: A robust basis for cross-site scripting defense. In Proceedings of the Network and Distributed System Security Symposium."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338933"},{"key":"e_1_3_2_1_37_1","volume-title":"2012 International Conference for Internet Technology and Secured Transactions. 348\u2013355","author":"Ojamaa Andres","year":"2012","unstructured":"Andres Ojamaa and Karl D\u00fc\u00fcna . 2012 . Assessing the security of Node. js platform . In 2012 International Conference for Internet Technology and Secured Transactions. 348\u2013355 . Andres Ojamaa and Karl D\u00fc\u00fcna. 2012. Assessing the security of Node. js platform. In 2012 International Conference for Internet Technology and Secured Transactions. 348\u2013355."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978384"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180184"},{"key":"e_1_3_2_1_40_1","volume-title":"Proceedings of the 20th USENIX conference on Security. 12\u201312","author":"Politz Joe Gibbs","year":"2011","unstructured":"Joe Gibbs Politz , Spiridon Aristides Eliopoulos , Arjun Guha , and Shriram Krishnamurthi . 2011 . ADsafety: type-based verification of JavaScript Sandboxing . In Proceedings of the 20th USENIX conference on Security. 12\u201312 . Joe Gibbs Politz, Spiridon Aristides Eliopoulos, Arjun Guha, and Shriram Krishnamurthi. 2011. ADsafety: type-based verification of JavaScript Sandboxing. In Proceedings of the 20th USENIX conference on Security. 12\u201312."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.51"},{"key":"e_1_3_2_1_42_1","volume-title":"2017 32nd IEEE\/ACM International Conference on Automated Software Engineering (ASE). 648\u2013659","author":"Saha Ripon K","unstructured":"Ripon K Saha , Yingjun Lyu , Hiroaki Yoshida , and Mukul R Prasad . [n.d.]. Elixir : Effective object-oriented program repair . In 2017 32nd IEEE\/ACM International Conference on Automated Software Engineering (ASE). 648\u2013659 . Ripon K Saha, Yingjun Lyu, Hiroaki Yoshida, and Mukul R Prasad. [n.d.]. Elixir: Effective object-oriented program repair. In 2017 32nd IEEE\/ACM International Conference on Automated Software Engineering (ASE). 648\u2013659."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1368310.1368327"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/1993316.1993539"},{"key":"e_1_3_2_1_45_1","volume-title":"27th $USENIX$ Security Symposium ($USENIX$ Security 18). 361\u2013376.","author":"Staicu Cristian-Alexandru","unstructured":"Cristian-Alexandru Staicu and Michael Pradel . 2018. Freezing the web: A study of redos vulnerabilities in javascript-based web servers . In 27th $USENIX$ Security Symposium ($USENIX$ Security 18). 361\u2013376. Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the web: A study of redos vulnerabilities in javascript-based web servers. In 27th $USENIX$ Security Symposium ($USENIX$ Security 18). 361\u2013376."},{"key":"e_1_3_2_1_46_1","volume-title":"SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS.","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu , Michael Pradel , and Benjamin Livshits . 2018 . SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS. Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2018. SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338504.3357339"},{"key":"e_1_3_2_1_48_1","volume-title":"23rd $USENIX$ Security Symposium ($USENIX$ Security 14). 655\u2013670.","author":"Stock Ben","unstructured":"Ben Stock , Sebastian Lekies , Tobias Mueller , Patrick Spiegel , and Martin Johns . 2014. Precise client-side protection against DOM-based cross-site scripting . In 23rd $USENIX$ Security Symposium ($USENIX$ Security 14). 655\u2013670. Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise client-side protection against DOM-based cross-site scripting. In 23rd $USENIX$ Security Symposium ($USENIX$ Security 14). 655\u2013670."},{"key":"e_1_3_2_1_49_1","volume-title":"Blueprint: Precise Browser-neutral Prevention of Cross-site Scripting Attacks. In IEEE Symposium on Security and Privacy.","author":"Louw Mike Ter","unstructured":"Mike Ter Louw and V.N. Venkatakrishnan . 2009 . Blueprint: Precise Browser-neutral Prevention of Cross-site Scripting Attacks. In IEEE Symposium on Security and Privacy. Mike Ter Louw and V.N. Venkatakrishnan. 2009. Blueprint: Precise Browser-neutral Prevention of Cross-site Scripting Attacks. In IEEE Symposium on Security and Privacy."},{"key":"e_1_3_2_1_50_1","volume-title":"Proceeding of the Network and Distributed System Security Symposium (NDSS.07)","author":"Vogt P.","unstructured":"P. Vogt , F. Nentwich , N. Jovanovic , E. Kirda , C. Kruegel , and G. Vigna . 2007. Cross-site scripting prevention with dynamic data tainting and static analysis . In Proceeding of the Network and Distributed System Security Symposium (NDSS.07) . P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. 2007. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proceeding of the Network and Distributed System Security Symposium (NDSS.07)."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133986"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"e_1_3_2_1_53_1","volume-title":"USENIX Security Symposium. 33\u201348","author":"Zhang Xiaolan","year":"2002","unstructured":"Xiaolan Zhang , Antony Edwards , and Trent Jaeger . 2002 . Using CQUAL for Static Analysis of Authorization Hook Placement .. In USENIX Security Symposium. 33\u201348 . Xiaolan Zhang, Antony Edwards, and Trent Jaeger. 2002. Using CQUAL for Static Analysis of Authorization Hook Placement.. In USENIX Security Symposium. 33\u201348."},{"key":"e_1_3_2_1_54_1","volume-title":"28th $USENIX$ Security Symposium ($USENIX$ Security 19). 995\u20131010.","author":"Zimmermann Markus","unstructured":"Markus Zimmermann , Cristian-Alexandru Staicu , Cam Tenny , and Michael Pradel . 2019. Small world with high risks: A study of security threats in the npm ecosystem . In 28th $USENIX$ Security Symposium ($USENIX$ Security 19). 995\u20131010. Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the npm ecosystem. In 28th $USENIX$ Security Symposium ($USENIX$ Security 19). 995\u20131010."}],"event":{"name":"ESEC\/FSE '21: 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","location":"Athens Greece","acronym":"ESEC\/FSE '21","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3468264.3468542","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3468264.3468542","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3468264.3468542","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:24:50Z","timestamp":1750195490000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3468264.3468542"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,8,18]]},"references-count":54,"alternative-id":["10.1145\/3468264.3468542","10.1145\/3468264"],"URL":"https:\/\/doi.org\/10.1145\/3468264.3468542","relation":{},"subject":[],"published":{"date-parts":[[2021,8,18]]},"assertion":[{"value":"2021-08-18","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}