Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites
Zifeng Kang, Muxi Lyu, Zhengyu Liu, Jianjia Yu, Runqi Fan, Song Li
IEEE Symposium on Security and Privacy 2025 · Day 1 · Web Security
This talk introduces "Follow My Flow," a groundbreaking research effort to identify and analyze **client-side prototype pollution gadgets** across a vast dataset of real-world websites. Presented by Sungcom from Johns Hopkins University, this work addresses the critical challenge of discovering exploitable vulnerabilities stemming from **prototype pollution**, a JavaScript flaw that allows attackers to inject malicious properties into built-in prototypical objects. While prototype pollution itself is a known vulnerability, its true impact materializes only when a "gadget"—a seemingly benign code snippet—unknowingly processes these polluted properties, altering program flow to a sensitive location and leading to severe consequences like **cross-site scripting (XSS)**, **cookie manipulation**, or **URL manipulation**. The paper detailing this research was recognized with a distinguished paper award, underscoring its significance in the field of web security.