The modern Web applications have a
complex design and complex interactions between parts of the codebase make
understanding and analysis challenging. The last decade has seen a
proliferation of code-reuse attacks in the context of web applications. The
attack techniques depend on the platform and programming language of the target
application. We consider prototype-based (JavaScript) languages as a target
for static analysis and find vulnerabilities leading to Remote Code Execution
(RCE).
The talk will focus on prototype pollution vulnerabilities. We study the
problem in a holistic way, from the detection of prototype pollution to
detection of gadgets, with the ambitious goal of finding end-to-end exploits
beyond DoS, in full-fledged Node.js applications.
We build the first multi-staged framework that uses multi-label static taint
analysis to identify prototype pollution in Node.js libraries and
applications, including their transitive dependencies, as well as a hybrid
approach to detect universal gadgets, notably, by analyzing the Node.js
source code. The evaluation shows that our approach helps to identify
exploitable RCE vulnerabilities in high profile applications.
|