A tale of making internet pollution free - BSides Ahmedabad 2021

Transcript

1. A tale of making internet pollution free Finding & Exploiting

   Client-Side Prototype Pollution in the Wild

2. Mohan SRK P • I like browsers, electron and CTFs

   • @s1r1u5_ • Web and shit posting • @rootxharsh Harsh Jaiswal

3. Agenda • Javascript Prototype • Prototype Pollution • Methodology To

   Find & Exploit Prototype Pollution at Scale • Case Studies & Results • Ways To Mitigate Prototype Pollution • Conclusion

4. Javascript Prototype

5. Javascript Prototype • Javascript is an prototype based language •

   Objects inherits properties and methods via prototype object. • Object based inheritance is cool, but it has a security hole.
6. None
7. None

8. Prototype Pollution

9. Prototype Pollution • Properties in Object.prototype are available to all

   the objects created in the application through prototype chain. • If Object.prototype is tampered by the malicious user somehow then all the objects in the applications will have access to the tampered property.
10. None

11. Passed query parameters → ?user=harsh
 
 Resulting query object →

    {“user”: “harsh”}
 


12. Passed query parameters → ?user[id]=1
 
 Resulting query object →

    {“user”: {“id”:1}}
 


13. Passed query parameters → ?user[id]=1&__proto__[foo]=bar
 
 Resulting query object →

    {“user”: {“id”:1}}
 
 Where did __proto__ go?

14. None

15. Methodology To Find & Exploit Prototype Pollution at Scale

16. Methodology

17. Detection Selenium script/Nuclei Template - Initially, used this to find

    sites which has vulnerable location parsing either via query value or hash value in the URL. - Advantage: - Scalable - Disadvantage: - Only finds vulnerable location parsing - We can’t scan Authenticated Pages
18. None

19. Detection Chrome Extension - To scan authenticated pages manually, we

    wrote an extension. - Advantage: Can scan Authenticated Pages. - Disadvantage: - Only finds vulnerable location parsing. - Not Scalable.

20. Detection Static Analysis Tool - To find all code components

    which leads to pollution we need to do static analysis. - Used CodeQL. - Advantage: Can find all sources and sinks which leads to prototype pollution. - Disadvantage: Not scalable.

21. Script Gadgets What is Script Gadget? A script gadget is

    a piece of code in the application which can be triggered via prototype pollution and can be used to upgrade prototype pollution to XSS.

22. Script Gadgets What is Script Gadget? A script gadget is

    a piece of code in the application which can be triggered via prototype pollution and can be used to upgrade prototype pollution to XSS. - Hard and Interesting part after detection. - Need to find the gadget most of the time. - If you are lucky, pollute.js and untrusted-types can quickly find one. - Idea: I think it can be automated with CodeQL

23. Identification of Lib

24. Scanning from DB

25. Case Study: Bug found using CodeQL • Downloaded JS on

    top pages of Google, FB, and some private programs. • Created a database with CodeQL. codeql database create --language=javascript --source-root database vulnerable_db / • Run the Query on DB codeql query run --database=./vulnerable_db ../pp-automation/learn.ql

26. Case Study: Bug found using CodeQL

27. Case Study: Apple XSS using Chrome extension Rahul’s https://github.com/msrkp/PPScan

28. Case Study: Pollution found using python selenium bot. https://blog.swiftype.com/#__proto__[asdf]=alert(document.domain)

29. Results

30. Results • Number of vulnerable libraries found: 18 • Number

    of bugs reported to vulnerability disclosure programs: ~80 • Total Bounties earned by ~10 people: ~ 40k

31. Mitigations

32. Mitigations • Remove the vulnerable code • Object.prototype freezing, Object

    sealing, or Object.create(null) is not enough ◦ For how not to fix you should definitely check BlackFan’s talk and pugpug challenge in Bsides Ahmedabad CTF.

33. Conclusion

34. Conclusion • New attack surface • Feature proposal: Mitigation for

    Client-Side Prototype Pollution · Issue #33 · WICG/document-policy · GitHub

35. Research Team • Sergey Bobrov @Black2Fan • Mohan SRK P

    @S1r1u5_ • terjanq @terjanq • Beomjin Lee @po6ix • Masato Kinugawa @kinugawamasato • Rahul Maini @iamnoooob • Harsh Jaiswal @rootxharsh • Mikhail Egorov @0ang3el • Nikita Stupin @_nikitastupin

36. Thanks to other researchers • @_holyvier_ • @SecurityMB • @wcbowling

    • @corb3nik

37. Thanks

38. Questions?