{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T15:50:49Z","timestamp":1783007449111,"version":"3.54.5"},"publisher-location":"New York, NY, USA","reference-count":52,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,5,13]],"date-time":"2024-05-13T00:00:00Z","timestamp":1715558400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Swedish Foundation for Strategic Research"},{"name":"Wallenberg AI, Autonomous Systems and Software Program (WASP)"},{"name":"Swedish Research Council"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,5,13]]},"DOI":"10.1145\/3589334.3645579","type":"proceedings-article","created":{"date-parts":[[2024,5,8]],"date-time":"2024-05-08T07:08:13Z","timestamp":1715152093000},"page":"1800-1811","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2621-5179","authenticated-orcid":false,"given":"Mikhail","family":"Shcherbakov","sequence":"first","affiliation":[{"name":"KTH Royal Institute of Technology, Stockholm, Sweden"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-9111-2667","authenticated-orcid":false,"given":"Paul","family":"Moosbrugger","sequence":"additional","affiliation":[{"name":"KTH Royal Institute of Technology, Stockholm, Sweden"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6005-5992","authenticated-orcid":false,"given":"Musard","family":"Balliu","sequence":"additional","affiliation":[{"name":"KTH Royal Institute of Technology, Stockholm, Sweden"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2024,5,13]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"[n. d.]. Client-Side Prototype Pollution and useful Script Gadgets. https:\/\/github.com\/BlackFan\/client-side-prototype-pollution."},{"key":"e_1_3_2_2_2_1","unstructured":"[n. d.]. Elastic Stack: Elasticsearch Kibana Beats Logstash - Elastic. https:\/\/www.elastic.co\/elastic-stack\/."},{"key":"e_1_3_2_2_3_1","unstructured":"[n. d.]. Exploiting prototype pollution - RCE in Kibana (CVE-2019--7609). https:\/\/research.securitum.com\/prototype-pollution-rce-kibana-cve-2019--7609."},{"key":"e_1_3_2_2_4_1","unstructured":"[n. d.]. Graal.js. https:\/\/github.com\/oracle\/graaljs."},{"key":"e_1_3_2_2_5_1","unstructured":"[n. d.]. Libraries.io - The Open Source Discovery Service. https:\/\/libraries.io."},{"key":"e_1_3_2_2_6_1","volume-title":"SandTrap: Securing JavaScript-driven Trigger-Action Platforms. In USENIX Security Symposium.","author":"Ahmadpanah Mohammad M.","year":"2021","unstructured":"Mohammad M. Ahmadpanah, Daniel Hedin, Musard Balliu, Lars Eric Olsson, and Andrei Sabelfeld. 2021. SandTrap: Securing JavaScript-driven Trigger-Action Platforms. In USENIX Security Symposium."},{"key":"e_1_3_2_2_7_1","volume-title":"Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering","author":"Aldrich Mark W.","year":"2023","unstructured":"Mark W. Aldrich, Alexi Turcotte, Matthew Blanco, and Frank Tip. 2023. Augur: Dynamic Taint Analysis for Asynchronous JavaScript. In Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering (Rochester, MI, USA) (ASE'22). Article 153, 4 pages."},{"key":"e_1_3_2_2_8_1","volume-title":"Prototype pollution attack in NodeJS application. NorthSec","author":"Arteau Olivier","year":"2018","unstructured":"Olivier Arteau. 2018. Prototype pollution attack in NodeJS application. NorthSec (2018)."},{"key":"e_1_3_2_2_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966919"},{"key":"e_1_3_2_2_10_1","volume-title":"Finding and Preventing Bugs in JavaScript Bindings. In Symposium on Security and Privacy (S&P).","author":"Brown Fraser","year":"2017","unstructured":"Fraser Brown, Shravan Narayan, Riad S. Wahby, Dawson R. Engler, Ranjit Jhala, and Deian Stefan. 2017. Finding and Preventing Bugs in JavaScript Bindings. In Symposium on Security and Privacy (S&P)."},{"key":"e_1_3_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3054924"},{"key":"e_1_3_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP57164.2023.00068"},{"key":"e_1_3_2_2_13_1","unstructured":"Johannes Dahse and Thorsten Holz. 2014. Static Detection of Second-Order Vulnerabilities in Web Applications. In USENIX Security 14. 989--1003."},{"key":"e_1_3_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660363"},{"key":"e_1_3_2_2_15_1","volume-title":"Polyglot Instrumentation Support for Debuggers and other Tools. CoRR abs\/1803.10201","author":"Van de Vanter Michael L.","year":"2018","unstructured":"Michael L. Van de Vanter, Chris Seaton, Michael Haupt, Christian Humer, and Thomas W\u00fcrthinger. 2018. Fast, Flexible, Polyglot Instrumentation Support for Debuggers and other Tools. CoRR abs\/1803.10201 (2018). arXiv:1803.10201 http:\/\/arxiv.org\/abs\/1803.10201"},{"key":"e_1_3_2_2_16_1","volume-title":"Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In Network and Distributed System Security Symposium (NDSS).","author":"Duan Ruian","year":"2021","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_2_17_1","volume-title":"Proceedings of the Black Hat USA","author":"Esser Stefan","year":"2010","unstructured":"Stefan Esser. 2010. Utilizing Code Reuse\/ROP in PHP Application Exploits. Proceedings of the Black Hat USA (2010)."},{"key":"e_1_3_2_2_18_1","unstructured":"Gareth Heyes. [n. d.]. Server-side prototype pollution: Black-box detection without the DoS. https:\/\/portswigger.net\/research\/server-side-prototype-pollution."},{"key":"e_1_3_2_2_19_1","volume-title":"An In-Depth Study of More Than Ten Years of Java Exploitation. In Conference on Computer and Communications Security (CCS). 779--790","author":"Holzinger Philipp","year":"2016","unstructured":"Philipp Holzinger, Stefan Triller, Alexandre Bartel, and Eric Bodden. 2016. An In-Depth Study of More Than Ten Years of Java Exploitation. In Conference on Computer and Communications Security (CCS). 779--790."},{"key":"e_1_3_2_2_20_1","volume-title":"Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites. In Network and Distributed System Security Symposium (NDSS","author":"Kang Zifeng","year":"2022","unstructured":"Zifeng Kang, Song Li, and Yinzhi Cao. 2022. Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites. In Network and Distributed System Security Symposium (NDSS 2022)."},{"key":"e_1_3_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2878020"},{"key":"e_1_3_2_2_22_1","volume-title":"2023 IEEE Symposium on Security and Privacy (SP). 253--270","author":"Khodayari S.","unstructured":"S. Khodayari and G. Pellegrino. 2023. It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses. In 2023 IEEE Symposium on Security and Privacy (SP). 253--270."},{"key":"e_1_3_2_2_23_1","volume-title":"Ho Kyun Oh, Beom Jin Lee, Si Woo Mun, Jeong Hoon Shin, and Kyounggon Kim.","author":"Kim Hee Yeon","year":"2021","unstructured":"Hee Yeon Kim, Ji Hoon Kim, Ho Kyun Oh, Beom Jin Lee, Si Woo Mun, Jeong Hoon Shin, and Kyounggon Kim. 2021. DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules. International Journal of Information Security (2021), 1--23."},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3426182.3426184"},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134091"},{"key":"e_1_3_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468542"},{"key":"e_1_3_2_2_27_1","volume-title":"USENIX Security Symposium.","author":"Li Song","year":"2022","unstructured":"Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2022. Mining Node.js Vulnerabilities via Object Dependence Graph and Query. In USENIX Security Symposium."},{"key":"e_1_3_2_2_28_1","unstructured":"Felix Maier. [n. d.]. Iroh. https:\/\/github.com\/maierfelix\/Iroh."},{"key":"e_1_3_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23309"},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"publisher","unstructured":"Paul Moosbrugger Mikhail Shcherbakov and Musard Balliu. [n. d.]. Dasty: Dynamic Taint Analysis Tool for Prototype Pollution Gadgets Detection. https:\/\/github.com\/KTH-LangSec\/Dasty. https:\/\/doi.org\/10.5281\/zenodo.10650764","DOI":"10.5281\/zenodo.10650764"},{"key":"e_1_3_2_2_31_1","volume-title":"Proceedings of the Black Hat USA","author":"Mu\u00f1oz Alvaro","year":"2017","unstructured":"Alvaro Mu\u00f1oz and Oleksandr Mirosh. 2017. Friday the 13th json attacks. Proceedings of the Black Hat USA (2017)."},{"key":"e_1_3_2_2_32_1","unstructured":"Alvaro Mu\u00f1oz and Christian Schneider. 2018. Serial killer: Silently pwning your Java endpoints."},{"key":"e_1_3_2_2_33_1","unstructured":"OASIS. [n. d.]. Static Analysis Results Interchange Format (SARIF) Version 2.1.0. https:\/\/docs.oasis-open.org\/sarif\/sarif\/v2.1.0\/sarif-v2.1.0.html."},{"key":"e_1_3_2_2_34_1","unstructured":"Oracle. [n. d.]. Graal. https:\/\/www.graalvm.org\/."},{"key":"e_1_3_2_2_35_1","volume-title":"WOOT'15","author":"Peles Or","year":"2015","unstructured":"Or Peles and Roee Hay. 2015. One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android. In WOOT'15."},{"key":"e_1_3_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3320269.3372201"},{"key":"e_1_3_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/2491411.2491447"},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315313"},{"key":"e_1_3_2_2_39_1","volume-title":"SerialDetector: Principled and Practical Exploration of Object Injection Vulnerabilities for the Web. In 28th Annual Network and Distributed System Security Symposium, NDSS 2021","author":"Shcherbakov Mikhail","year":"2021","unstructured":"Mikhail Shcherbakov and Musard Balliu. 2021. SerialDetector: Principled and Practical Exploration of Object Injection Vulnerabilities for the Web. In 28th Annual Network and Distributed System Security Symposium, NDSS 2021, virtually, February 21--25, 2021."},{"key":"e_1_3_2_2_40_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Shcherbakov Mikhail","year":"2023","unstructured":"Mikhail Shcherbakov, Musard Balliu, and Cristian-Alexandru Staicu. 2023. Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js. In 32nd USENIX Security Symposium (USENIX Security 23)."},{"key":"e_1_3_2_2_41_1","volume-title":"USENIX'23 Artifact Appendix: Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Shcherbakov Mikhail","year":"2023","unstructured":"Mikhail Shcherbakov, Musard Balliu, and Cristian-Alexandru Staicu. 2023. USENIX'23 Artifact Appendix: Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js. In 32nd USENIX Security Symposium (USENIX Security 23)."},{"key":"e_1_3_2_2_42_1","unstructured":"Mikhail Shcherbakov Paul Moosbrugger Musard Balliu and Cristian-Alexandru Staicu. [n. d.]. Server-Side Prototype Pollution Gadgets. https:\/\/github.com\/yuske\/server-side-prototype-pollution."},{"key":"e_1_3_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23071"},{"key":"e_1_3_2_2_44_1","volume-title":"An Empirical Study of Information Flows in Real-World JavaScript. In 14th ACM SIGSAC Workshop on Programming Languages and Analysis for Security, PLAS.","author":"Staicu Cristian-Alexandru","year":"2019","unstructured":"Cristian-Alexandru Staicu, Daniel Schoepe, Musard Balliu, Michael Pradel, and Andrei Sabelfeld. 2019. An Empirical Study of Information Flows in Real-World JavaScript. In 14th ACM SIGSAC Workshop on Programming Languages and Analysis for Security, PLAS."},{"key":"e_1_3_2_2_45_1","volume-title":"Extracting Taint Specifications for JavaScript Libraries. In 2020 IEEE\/ACM 42nd International Conference on Software Engineering (ICSE). 198--209","author":"Staicu Cristian-Alexandru","year":"2020","unstructured":"Cristian-Alexandru Staicu, Martin Toldam Torp, Max Sch\u00e4fer, Anders M\u00f8ller, and Michael Pradel. 2020. Extracting Taint Specifications for JavaScript Libraries. In 2020 IEEE\/ACM 42nd International Conference on Software Engineering (ICSE). 198--209."},{"key":"e_1_3_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417267"},{"key":"e_1_3_2_2_47_1","volume-title":"How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium, USENIX Security 2017","author":"Stock Ben","year":"2017","unstructured":"Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16--18, 2017, Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 971--987."},{"key":"e_1_3_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3178372.3179527"},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/2384716.2384723"},{"key":"e_1_3_2_2_50_1","volume-title":"USENIX Security Symposium.","author":"Xiao Feng","year":"2021","unstructured":"Feng Xiao, Jianwei Huang, Yichang Xiong, Guangliang Yang, Hong Hu, Guofei Gu, and Wenke Lee. 2021. Abusing Hidden Properties to Attack the Node.js Ecosystem. In USENIX Security Symposium."},{"key":"e_1_3_2_2_51_1","unstructured":"YesWeHack. [n. d.]. Server side prototype pollution how to detect and exploit. https:\/\/blog.yeswehack.com\/talent-development\/server-side-prototype-pollution-how-to-detect-and-exploit\/."},{"key":"e_1_3_2_2_52_1","volume-title":"USENIX Security Symposium.","author":"Zimmermann Markus","year":"2019","unstructured":"Markus Zimmermann, Cristian-Alexandru, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In USENIX Security Symposium."}],"event":{"name":"WWW '24: The ACM Web Conference 2024","location":"Singapore Singapore","acronym":"WWW '24","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"]},"container-title":["Proceedings of the ACM Web Conference 2024"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3589334.3645579","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3589334.3645579","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T00:32:15Z","timestamp":1755822735000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3589334.3645579"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,5,13]]},"references-count":52,"alternative-id":["10.1145\/3589334.3645579","10.1145\/3589334"],"URL":"https:\/\/doi.org\/10.1145\/3589334.3645579","relation":{},"subject":[],"published":{"date-parts":[[2024,5,13]]},"assertion":[{"value":"2024-05-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}