The modern Web applications have a
complex design and complex interactions between parts of the codebase make
understanding and analysis challenging. The last decade has seen a
proliferation of code-reuse attacks in the context of web applications. The
attack techniques depend on the platform and programming language of the target
for static analysis and find vulnerabilities leading to Remote Code Execution
The talk will focus on prototype pollution vulnerabilities. We study the
problem in a holistic way, from the detection of prototype pollution to
detection of gadgets, with the ambitious goal of finding end-to-end exploits
beyond DoS, in full-fledged Node.js applications.
We build the first multi-staged framework that uses multi-label static taint
analysis to identify prototype pollution in Node.js libraries and
applications, including their transitive dependencies, as well as a hybrid
approach to detect universal gadgets, notably, by analyzing the Node.js
source code. The evaluation shows that our approach helps to identify
exploitable RCE vulnerabilities in high profile applications.