Exploiting Prototype Pollution to Get RCE in Node.js





The modern Web applications have a complex design and complex interactions between parts of the codebase make understanding and analysis challenging. The last decade has seen a proliferation of code-reuse attacks in the context of web applications. The attack techniques depend on the platform and programming language of the target application. We consider prototype-based (JavaScript) languages as a target for static analysis and find vulnerabilities leading to Remote Code Execution (RCE).

The talk will focus on prototype pollution vulnerabilities. We study the problem in a holistic way, from the detection of prototype pollution to detection of gadgets, with the ambitious goal of finding end-to-end exploits beyond DoS, in full-fledged Node.js applications. We build the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, including their transitive dependencies, as well as a hybrid approach to detect universal gadgets, notably, by analyzing the Node.js source code. The evaluation shows that our approach helps to identify exploitable RCE vulnerabilities in high profile applications.