According to Yinzhi Cao, assistant professor of computer science at Johns Hopkins Whiting School of Engineering who designed the ProbTheProto framework, prototype pollution allows an adversary to inject or modify a property under a prototype object, for example Object.prototype, thus affecting the normal performance. (eg, control and data flow) of a vulnerable program.
Explaining the problem informally to Catherine Graham on the Johns Hopkins University blog. Cao said:
“It was only recently that researchers began to look closely at prototype pollution and realized that it was a matter of great concern. Many developers may not be aware that prototype pollution vulnerabilities can have serious consequences.”
Cao’s ProbeTheProto framework is intended to identify and alert vulnerable websites and consists of two parts: a dynamic fingerprint analysis that tracks so-called joint fingerprint flows linking searches and property assignments, and the generation of inputs/holdings that guides the flows of joint footprints to final sinks related to other consequences. Additionally, ProbeTheProto examines whether a prototype object is controllable, whether and which properties can be manipulated, and whether the injected value has other consequences. it does this by tracking adversary-controlled inputs in searches for vulnerable properties, such as obj[prop]via dynamic tint analysis to detect pollution vulnerabilities of the prototype, and then guiding object searches in tint propagation to a consequence-bound end receiver like innerHTML.
Along with PhD students, Zifeng Kang, Song Li, Cao implemented a prototype of ProbeTheProto and rated it on the one million websites ranked by Tranco. Their results identified 2,738 websites vulnerable to 2,917 exploitable prototypes of zero-day pollution vulnerabilities.
The distribution of vulnerabilities shows that the most popular websites were more likely to be exposed to prototype pollution. In fact, 10 of the top 1,000 websites, including CNET.com, weebly.com and mckinsey.com were among those identified, along with 63 sites ranked between 1,000 and 10,000.
Considering the distribution of zero-day prototype pollution among the million websites by joint feed sources, URL search (location.search) is by far the most numerous, followed by URL (location ). A small number of vulnerabilities were introduced by messages and even fewer by cookies.
The distribution of vulnerabilities by consequences shows the number of sink triggers:
This shows that cookie and URL manipulations are much more popular than XSS. A final receiver for a vulnerability can be triggered multiple times because it is often embedded in a for loop or invoked in multiple function calls.
A total of 1322 vulnerabilities are even more vulnerable to further attacks – 48 lead to XSS, 736 to cookie manipulation and 830 to URL manipulation. The other 1595 had no observable consequences.
By the time the paper, which is to be presented at the 2022 Network and Distributed Systems Security (NDSS) Symposium to be held in San Diego, California, USA in late April, was written, 185 websites had patched the vulnerabilities reported, six others had confirmed but not yet fixed the flaws, and two had been fixed with their own patch but are still vulnerable.
Probing the Prototype: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-World Websites (pdf)
by Zifeng Kang, Song Li and Yinzhi Cao of Johns Hopkins University
The perils of jQuery?
To be notified of new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.
or send your comment to: [email protected]