Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A tale of making internet pollution free - BSides Ahmedabad 2021

A tale of making internet pollution free - BSides Ahmedabad 2021

A tale of making internet pollution free

Finding & Exploiting Client-Side Prototype Pollution in the Wild

Transcript

  1. A tale of making internet pollution free Finding & Exploiting

    Client-Side Prototype Pollution in the Wild
  2. Mohan SRK P • I like browsers, electron and CTFs

    • @s1r1u5_ • Web and shit posting • @rootxharsh Harsh Jaiswal
  3. Agenda • Javascript Prototype • Prototype Pollution • Methodology To

    Find & Exploit Prototype Pollution at Scale • Case Studies & Results • Ways To Mitigate Prototype Pollution • Conclusion
  4. Javascript Prototype

  5. Javascript Prototype • Javascript is an prototype based language •

    Objects inherits properties and methods via prototype object. • Object based inheritance is cool, but it has a security hole.
  6. None
  7. None
  8. Prototype Pollution

  9. Prototype Pollution • Properties in Object.prototype are available to all

    the objects created in the application through prototype chain. • If Object.prototype is tampered by the malicious user somehow then all the objects in the applications will have access to the tampered property.
  10. None
  11. Passed query parameters → ?user=harsh
 
 Resulting query object →

    {“user”: “harsh”}
 

  12. Passed query parameters → ?user[id]=1
 
 Resulting query object →

    {“user”: {“id”:1}}
 

  13. Passed query parameters → ?user[id]=1&__proto__[foo]=bar
 
 Resulting query object →

    {“user”: {“id”:1}}
 
 Where did __proto__ go?

  14. None
  15. Methodology To Find & Exploit Prototype Pollution at Scale

  16. Methodology

  17. Detection Selenium script/Nuclei Template - Initially, used this to find

    sites which has vulnerable location parsing either via query value or hash value in the URL. - Advantage: - Scalable - Disadvantage: - Only finds vulnerable location parsing - We can’t scan Authenticated Pages
  18. None
  19. Detection Chrome Extension - To scan authenticated pages manually, we

    wrote an extension. - Advantage: Can scan Authenticated Pages. - Disadvantage: - Only finds vulnerable location parsing. - Not Scalable.
  20. Detection Static Analysis Tool - To find all code components

    which leads to pollution we need to do static analysis. - Used CodeQL. - Advantage: Can find all sources and sinks which leads to prototype pollution. - Disadvantage: Not scalable.
  21. Script Gadgets What is Script Gadget? A script gadget is

    a piece of code in the application which can be triggered via prototype pollution and can be used to upgrade prototype pollution to XSS.
  22. Script Gadgets What is Script Gadget? A script gadget is

    a piece of code in the application which can be triggered via prototype pollution and can be used to upgrade prototype pollution to XSS. - Hard and Interesting part after detection. - Need to find the gadget most of the time. - If you are lucky, pollute.js and untrusted-types can quickly find one. - Idea: I think it can be automated with CodeQL
  23. Identification of Lib

  24. Scanning from DB

  25. Case Study: Bug found using CodeQL • Downloaded JS on

    top pages of Google, FB, and some private programs. • Created a database with CodeQL. codeql database create --language=javascript --source-root database vulnerable_db / • Run the Query on DB codeql query run --database=./vulnerable_db ../pp-automation/learn.ql
  26. Case Study: Bug found using CodeQL

  27. Case Study: Apple XSS using Chrome extension Rahul’s https://github.com/msrkp/PPScan

  28. Case Study: Pollution found using python selenium bot. https://blog.swiftype.com/#__proto__[asdf]=alert(document.domain)

  29. Results

  30. Results • Number of vulnerable libraries found: 18 • Number

    of bugs reported to vulnerability disclosure programs: ~80 • Total Bounties earned by ~10 people: ~ 40k
  31. Mitigations

  32. Mitigations • Remove the vulnerable code • Object.prototype freezing, Object

    sealing, or Object.create(null) is not enough ◦ For how not to fix you should definitely check BlackFan’s talk and pugpug challenge in Bsides Ahmedabad CTF.
  33. Conclusion

  34. Conclusion • New attack surface • Feature proposal: Mitigation for

    Client-Side Prototype Pollution · Issue #33 · WICG/document-policy · GitHub
  35. Research Team • Sergey Bobrov @Black2Fan • Mohan SRK P

    @S1r1u5_ • terjanq @terjanq • Beomjin Lee @po6ix • Masato Kinugawa @kinugawamasato • Rahul Maini @iamnoooob • Harsh Jaiswal @rootxharsh • Mikhail Egorov @0ang3el • Nikita Stupin @_nikitastupin
  36. Thanks to other researchers • @_holyvier_ • @SecurityMB • @wcbowling

    • @corb3nik
  37. Thanks

  38. Questions?