In the wild
So analyzing this one requires two things:
- Identify any place where you can write an arbitrary key into any object
- Find a gadget in the codebase which leans on default or configured keys
Don't like this style? Click here to change it! blue.css
This is a recent security discovery that is actively scary.
The concept is this: JavaScript is a prototypal language.
That is, all javascript objects (and functions and variables)
reference another object that acts as their mentor, the prototype for that object.
That prototype also has a prototype in a chain all the way up to the base
Object class.
So X points to Y points to Z. If you try to reference an attribute or method in X and X doesn't have it's own property by that name then it borrows from Y.
In code that might look like this:
This is an interesting trait, which allows us to do stuff like this:
One of the coolest javascript utilities that came along after jQuery was underscore. It is another utility library that let's you just quickly do all of the cool things you need everyday.
One of those is to merge objects. I know I need that functionality all of the time.
When you merge objects, copy objects, or create objects you are taking keys from one object and writing them into the other.
So the concept of this exploit is that, when those utilities aren't written perfectly well (I'll give a list of public libraries subject to this problem) then the user can alter and poison the whole prototype chain.
See the Pen Untitled by Andy Novocin (@AndyNovo) on CodePen.
My flag for the day requires hunting down the most current version of the exploit: https://knotty-conscious-firewall.glitch.me/
In theory these exploits can be pivoted into Remote Code Execution.
So analyzing this one requires two things: