logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Defcon 31
Authors: Mikhail Shcherbakov KTH Royal Institute of Technology, Musard Balliu KTH Royal Institute of Technology
2023-08-01

Many have heard about Prototype Pollution vulnerabilities in JavaScript applications. This kind of vulnerability allows an attacker to inject properties into an object's root prototype that may lead to flow control alteration and unexpected program behavior. Every time a successful exploit looks like magic or is limited to a denial of service (DoS). Would you be surprised if I told you that every application has a chain of methods that can be triggered by Prototype Pollution and leads to arbitrary code execution? Such gadgets populated Node.js core code and popular NPM packages. Keep calm. Not every app can be exploited! However, this fact increases the risk of exploitation many times over. In our research, we studied Prototype Pollution beyond DoS and analyzed Node.js source code against the gadgets. We then analyzed 15 popular Node.js apps from GitHub and got 8 RCEs. Through this talk, I will elaborate on the detected gadgets and vulnerabilities. We will also take a look at how the recent changes in Node.js mitigate these issues.
Authors: Cole Cornford
2021-09-24

tldr - powered by Generative AI

The talk emphasizes the importance of clear and structured code in preventing security vulnerabilities. The speaker highlights the need to pay attention to basic programming constructs and avoid inscrutable code.
  • Clear and structured code is essential for assessing a program's security posture.
  • Basic programming constructs like comparisons, conditionals, loops, and more can lead to security vulnerabilities if not understood properly.
  • Inscrutable code is prevalent in many industries and can be difficult to assess for security vulnerabilities.
  • The speaker recommends using clear expressions and structuring code to avoid mistakes and make it easier to read.