Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A tale of making internet pollution free - BSi...

A tale of making internet pollution free - BSides Ahmedabad 2021

A tale of making internet pollution free

Finding & Exploiting Client-Side Prototype Pollution in the Wild

More Decks by Mohan Sri Ramakrishna Pedhapati

Other Decks in Education

Transcript

  1. A tale of making internet pollution free Finding & Exploiting

    Client-Side Prototype Pollution in the Wild
  2. Mohan SRK P • I like browsers, electron and CTFs

    • @s1r1u5_ • Web and shit posting • @rootxharsh Harsh Jaiswal
  3. Agenda • Javascript Prototype • Prototype Pollution • Methodology To

    Find & Exploit Prototype Pollution at Scale • Case Studies & Results • Ways To Mitigate Prototype Pollution • Conclusion
  4. Javascript Prototype • Javascript is an prototype based language •

    Objects inherits properties and methods via prototype object. • Object based inheritance is cool, but it has a security hole.
  5. Prototype Pollution • Properties in Object.prototype are available to all

    the objects created in the application through prototype chain. • If Object.prototype is tampered by the malicious user somehow then all the objects in the applications will have access to the tampered property.
  6. Passed query parameters → ?user[id]=1&__proto__[foo]=bar
 
 Resulting query object →

    {“user”: {“id”:1}}
 
 Where did __proto__ go?

  7. Detection Selenium script/Nuclei Template - Initially, used this to find

    sites which has vulnerable location parsing either via query value or hash value in the URL. - Advantage: - Scalable - Disadvantage: - Only finds vulnerable location parsing - We can’t scan Authenticated Pages
  8. Detection Chrome Extension - To scan authenticated pages manually, we

    wrote an extension. - Advantage: Can scan Authenticated Pages. - Disadvantage: - Only finds vulnerable location parsing. - Not Scalable.
  9. Detection Static Analysis Tool - To find all code components

    which leads to pollution we need to do static analysis. - Used CodeQL. - Advantage: Can find all sources and sinks which leads to prototype pollution. - Disadvantage: Not scalable.
  10. Script Gadgets What is Script Gadget? A script gadget is

    a piece of code in the application which can be triggered via prototype pollution and can be used to upgrade prototype pollution to XSS.
  11. Script Gadgets What is Script Gadget? A script gadget is

    a piece of code in the application which can be triggered via prototype pollution and can be used to upgrade prototype pollution to XSS. - Hard and Interesting part after detection. - Need to find the gadget most of the time. - If you are lucky, pollute.js and untrusted-types can quickly find one. - Idea: I think it can be automated with CodeQL
  12. Case Study: Bug found using CodeQL • Downloaded JS on

    top pages of Google, FB, and some private programs. • Created a database with CodeQL. codeql database create --language=javascript --source-root database vulnerable_db / • Run the Query on DB codeql query run --database=./vulnerable_db ../pp-automation/learn.ql
  13. Results • Number of vulnerable libraries found: 18 • Number

    of bugs reported to vulnerability disclosure programs: ~80 • Total Bounties earned by ~10 people: ~ 40k
  14. Mitigations • Remove the vulnerable code • Object.prototype freezing, Object

    sealing, or Object.create(null) is not enough ◦ For how not to fix you should definitely check BlackFan’s talk and pugpug challenge in Bsides Ahmedabad CTF.
  15. Conclusion • New attack surface • Feature proposal: Mitigation for

    Client-Side Prototype Pollution · Issue #33 · WICG/document-policy · GitHub
  16. Research Team • Sergey Bobrov @Black2Fan • Mohan SRK P

    @S1r1u5_ • terjanq @terjanq • Beomjin Lee @po6ix • Masato Kinugawa @kinugawamasato • Rahul Maini @iamnoooob • Harsh Jaiswal @rootxharsh • Mikhail Egorov @0ang3el • Nikita Stupin @_nikitastupin