Discovering Hidden Properties to Attack Node.js ecosystem

Conference:  Defcon 28



The presentation discusses the concept of hidden property abuse (HPA) in Node.js applications and how it can be exploited by attackers to manipulate internal states of the program.
  • Node.js is a powerful runtime execution engine used for executing JavaScript outside of browsers and is widely used in web-based applications.
  • Object sharing is a common feature in Node.js applications that allows for the communication of complex data structures.
  • Hidden property abuse (HPA) is a type of attack vector that leverages object sharing in Node.js to manipulate internal states of the program.
  • There are two types of HPA attack vectors: app-specific attribute manipulation and event handler attack.
  • HPA can be used to access arbitrary data in the database, leak credential user data, and cause denial of service.
  • Developers should be aware of hidden properties and implement proper validation and sanitization techniques to prevent HPA attacks.
The presentation gives an example of how an attacker can use HPA to manipulate the access rights of a user object by propagating a conflicting name property into the object.


Node.js is widely used for developing both server-side and desktop applications. It provides a cross-platform execution environment for JavaScript programs. Due to the increasing popularity, the security of Node.js is critical to web servers and desktop clients. We present a novel attack method against the Node.js platform, called hidden property abusing (HPA). The new attack leverages the widely-used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks. To help developers detect the HPA issues of their Node.js applications, we develop a tool, named LYNX, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply LYNX on a set of widely-used Node.js programs and identify 13 previously unknown vulnerabilities. LYNX successfully generates 10 severe exploits. We have reported all of our findings to the Node.js community. At the time of paper writing, we have received the confirmation of 12 vulnerabilities and got 12 CVEs assigned. Moreover, we collaborated with an authoritative public vulnerability database to help them use a new vulnerability notion and description in related security issues. The talk consists of four parts. First, we will introduce recent offensive research on Node.js. Second, we will introduce HPA by demonstrating an exploit on a widely-used web framework. Third, we will explain how to leverage program analysis techniques to automatically detect and exploit HPA. In the end, we will have a comprehensive evaluation which discusses how we identified 13 HPA 0days with the help of our detection method.