Discovering Hidden Properties to Attack the Node.js Ecosystem

The presentation discusses the concept of Hidden Property Abusing (HPA) in Node.js applications and how attackers can exploit it to manipulate internal states of the program.

• Node.js is a powerful runtime execution engine used for executing JavaScript outside of browsers and is widely used in web-based applications.
• Object sharing is a common feature in Node.js applications where communication data is packed into object representation.
• Hidden Property Abusing (HPA) leverages object sharing in Node.js to forge or temper critical program states in the application.
• There are two types of attack vectors in HPA: app-specific attribute manipulation and event handler attack.
• App-specific attribute manipulation involves manipulating certain internal properties defined by the application themselves, while event handler attack involves attacking the event handler and freezing the entire server program.
• The presentation emphasizes the need for developers to be aware of hidden properties and to properly manage internal states of the program to prevent HPA attacks.

The presentation provides an example of how an attacker can use HPA to manipulate the internal states of a program. By injecting additional properties into the program which are not expected by the server program, an attacker can forge or override certain internal states and obtain dangerous abilities such as manipulating the key logics of the program.

Node.js is widely used for developing both server-side and desktop applications. It provides a cross-platform execution environment for JavaScript programs. Due to the increasing popularity, the security of Node.js is critical to web servers and desktop clients.We present a novel attack method against the Node.js platform, called hidden property abusing (HPA). The new attack leverages the widely used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks. To help developers detect the HPA issues of their Node.js applications, we develop a tool, named LYNX, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply LYNX on a set of widely used Node.js programs and identify 13 previously unknown vulnerabilities. LYNX successfully generates 10 severe exploits. We have reported all of our findings to the Node.js community. At the time of paper writing, we have received the confirmation of 12 vulnerabilities and got 12 CVEs assigned. Moreover, we collaborated with an authoritative public vulnerability database to help them use a new vulnerability notion and description in related security issues.The talk consists of four parts. First, we will introduce recent offensive research on Node.js. Second, we will introduce HPA by demonstrating an exploit on a widely used web framework. Third, we will explain how to leverage program analysis techniques to automatically detect and exploit HPA. In the end, we will have a comprehensive evaluation which discusses how we identified 13 HPA 0days with the help of our detection method.