Conference:  Defcon 31

Authors: Mikhail Shcherbakov KTH Royal Institute of Technology, Musard Balliu KTH Royal Institute of Technology

2023-08-01

Many have heard about Prototype Pollution vulnerabilities in JavaScript applications. This kind of vulnerability allows an attacker to inject properties into an object's root prototype that may lead to flow control alteration and unexpected program behavior. Every time a successful exploit looks like magic or is limited to a denial of service (DoS). Would you be surprised if I told you that every application has a chain of methods that can be triggered by Prototype Pollution and leads to arbitrary code execution? Such gadgets populated Node.js core code and popular NPM packages. Keep calm. Not every app can be exploited! However, this fact increases the risk of exploitation many times over. In our research, we studied Prototype Pollution beyond DoS and analyzed Node.js source code against the gadgets. We then analyzed 15 popular Node.js apps from GitHub and got 8 RCEs. Through this talk, I will elaborate on the detected gadgets and vulnerabilities. We will also take a look at how the recent changes in Node.js mitigate these issues.

Conference:  Black Hat Asia 2023

Authors: Mikhail Shcherbakov

2023-05-11

Many have heard about Prototype Pollution vulnerabilities in JavaScript applications. This kind of vulnerability allows an attacker to inject properties into an object's root prototype that may lead to flow control alteration and unexpected program behavior. Every time a successful exploit looks like magic or is limited to a denial of service (DoS). Would you be surprised if I told you that every application has a chain of methods that can be triggered by Prototype Pollution and leads to arbitrary code execution? Such gadgets populated Node.js core code and popular NPM packages. Keep calm. Not every app can be exploited! However, this fact increases the risk of exploitation many times over.In our research, we studied Prototype Pollution beyond DoS and analyzed Node.js source code against the gadgets. We then analyzed 15 popular Node.js apps from GitHub and got 8 RCEs. Through this talk, I will elaborate on the detected gadgets and vulnerabilities. We will also take a look at how the recent changes in Node.js mitigate these issues.

Conference:  Global AppSec Dublin 2023

Authors: Gareth Heyes

2023-02-15

The presentation discusses the detection and prevention of Prototype Pollution vulnerabilities in JavaScript applications.

• Prototype Pollution vulnerabilities can be exploited to execute malicious code in JavaScript applications
• The Prototype Pollution scanner can be used to detect and prevent these vulnerabilities
• Object.freeze or seal methods can be used to protect against Prototype Pollution
• Inherited properties in parameter names or values can be used to leak JavaScript native code
• Detection of JavaScript engines can be done by looking for specific inherited properties

Conference:  Global AppSec Dublin 2023

Authors: Gal Weizman

2023-02-15

The presentation discusses the importance of improving security and visibility in JavaScript Realms through third-party solutions. However, these solutions lack visibility into JavaScript Realms, which affects security.

• Third-party solutions can assist in improving security and visibility in JavaScript applications
• Behavioral overriding or monkey patching is used by third-party solutions to gain control over the application and runtime
• However, these solutions lack visibility into JavaScript Realms, which affects security
• Realms are ecosystems in which JavaScript plugins exist and have their own global execution environment
• Improving security and visibility in Realms requires solutions that can provide visibility into Realms

Conference:  Global AppSec San Francisco 2022

Authors: Marius Musch

2022-11-17

As websites grow ever more dynamic and load more of their content on the fly, automatically interacting with them via simple tools like curl is getting less of an option. Instead, headless browsers with JavaScript support, such as PhantomJS and Puppeteer, have gained traction on the Web over the last few years. For various use cases like messengers and social networks that display link previews, these browsers visit arbitrary, user-controlled URLs. To avoid compromise through known vulnerabilities, these browsers need to be diligently kept up-to-date.In this talk, we investigate the phenomenon of what we coin 'server-side browsers' at scale and find that many websites are running severely outdated browsers on the server-side. Remarkably, the majority of them had not been updated for more than 6 months and over 60% of the discovered implementations were found to be vulnerable to publicly available proof-of-concept exploits.

Conference:  OWASP 20th Anniversary Event

Authors: Phu H. Phung

2021-09-24

Abstract:​Although there exist technical solutions or legislation laws, online user privacy is still an open issue and an unsolved crisis. Indeed, there is no formal assurance mechanism to guarantee that a web application will not violate its users' privacy stated in the user agreement. In this presentation, we introduce a new method to protect web users' privacy by monitoring JavaScript code based on the source of the code, i.e., code origin.  Our code-origin policy enforcement approach advances the conventional same-origin policy standard and allows the users to customize their protection. We demonstrate that our privacy policies can be certified at the development phase and verified at runtime to provide formal assurance of the enforcement.​​​