Finding & Exploiting Client-Side Prototype Pollution in the Wild

uh hey everyone uh thanks for attending uh this talk i think uh everyone everyone is having a good day so yeah our talk is a tale of making internet pollution free finding and exploiting client-side prototype pollution in the wild so how many of you are aware of this uh vulnerability class yeah so we will talk about prototype pollution in a while so first of all who are we and why you should care about this vulnerability at all uh this is harsh uh i do generally web application security and i do a lot of posting on twitter my handle is through textures and one can you introduce yourself yeah this is mohan shiram krishna uh i like

browsers electron and ctf uh i'm also known as sirius on twitter you can find me on twitter because yeah so what's in the agenda for today we will start off by learning about javascript uh you know the basic fundamentals of javascript uh because the vulnerability revolves around javascript it's a it's very specific to javascript we need to you know understand some basic terminologies and functionalities of it you need to be very clear about the uh building blocks of javascript before jumping right into the vulnerability itself uh then we will move ahead with the vulnerability class that is prototype pollution uh then we will show you our methodology what and what everything we use to find the vulnerability at scale

we will also show you some cases studies and uh research from research result from our research then finally we will move ahead with the mitigation part of the vulnerability so yeah let's start with javascript prototype so what is javascript like what kind of language it is right so it is a prototype based language what that means is unlike c plus or java it doesn't use proto uh it doesn't use a classical inheritance it uses something called an internal object called prototype and every object you create in javascript basically inherits its properties and method using uh this internal object called prototype for this uh you know this uh this prototype best inheritance is cool but it comes with its own loopholes and

that's exactly what we will be discussing today uh in the later slides so here we have a flowchart which will uh you know try to explain the difference between classical inheritance and total people inheritance so in the classical inheritance uh we have for example uh you want to you want to create a class called animal and then you want to get another class called dog or kit and you want to have all the properties of animal class uh all the properties and method of animal class within the dog or credit card so what you will do is you will use the syntax some similar to class dog extends animal and then when you create an object of class dog you

will have access to all the properties and methods of animal class within within the object within the dog object so that's how you do it in a normal c plus plus or java but when you when it comes to javascript things get a bit tricky right so for example here we have an animal object you define your properties and methods within it uh and if you want to copy this you know these methods and properties within dog so what you would do is you will use a syntax like dog dot prototype is equal to object.get and you will pass animals prototype as an argument to it now the blueprint or the baseline for the dog object will be uh will be that

of animals so you will have access to animals properties within it so that's how this to differentiate uh let's move on with another flowchart so this is like a more extended flowchart on the same thing so here we have a string uh uh an object called a with property series right and it points to like the prototyping points to the uh constructor's prototype so that is object.prototype in this case then uh which basically points to null so that is the top of gen um then we have this uh string called s uh which points to you know string dot prototype and that points to objective prototype so you see everything basically emulates from there this

animal object also initiates from there so everything inhibits from there uh if you create an array it will also inherit from here only so that's how the prototype chain goes on so what we explained here like the flowchart explains the prototype prototype chain so if you were to basically you know search for a access a property within that object uh within that object it will first try to access it within a otherwise it will go to the object or prototype and uh you know um it if it defines there it will success this is the value of it otherwise it will just return null so that's how it works so the now that we know about prototype channel

let's see the vulnerability class itself that is prototype pollution okay so we know that you know every object is inheriting its properties from object.prototype so uh what what would happen if someone can get hold of this object or prototype what if someone could add their own property to this object.prototype so uh if you are going in the direction it will be available in all the all the object you get that is right what that is exactly what will happen now if you create any object or if any past objective created has access to that property so here we have another uh flowchart explaining the very same thing so for example we have this uh object.prototype where we have set the

property pollute with this uh random value right uh now if you go to this you know object a and if you try to access the property pollute it will search within it but it's not there right it's it doesn't exist there so it uh it will go to the you know it's constructed prototype so that is object.prototype and it will try to access it there and because it exists there it will return its value so even though the property doesn't exist there it will it will get that value from the objective prototype so that's it that is the concept of the vulnerability you try to you know pollute that man top of the chain thing and you will have that value

in everywhere so for example here where we have a string called s then we are again searching for your property within s it is not there it will try to access it within string.prototype it is not there it will go on the top of chain it finds it there it returns its value so and so on this is how the concept of vulnerability works okay so that was the concept now so let's see an example how this one library will introduce in a code base or on the client side to be specific so we have cody snap at any anyone can see or read this called snippet or if not i can just go over it right uh

so we are basically taking uh all the query parameters and uh you know taking like a for example if i pass user is equal to hash we will pass the user uh uh user query parameter as an as a property of the query object so the returning query object will be will become user is a user and its value will be harsh so that's uh how we are publishing it okay yep so what if we pass user uh square bracket id square bracket is equal to one so here we have another check where we are saying if value you know if the query parameters are passed in like k1 square bracket k2 square bracket is equal to value then it will

you know join uh you know kind of recursion and it will add that as a nested object so now the user object becomes a nested object it has another object which has the id property and its value one so you see that's how a nested object is created using this input so what if we pass this uh special property called underscore underscore proto underscore underscore so foo is equal to bar so you say it doesn't return it there so where did the proto go that's the question right so like we said it points to constructors prototype so you try to query the query object you get user id one right uh then if you go

into the hidden property called prototype that is the internal object you get the foo bar now if you create another object called new object and try to exit the full property on new object it is there you see the bar is returned so it is written because it is at the top of chain we have quality at the top of chain so from now on uh we will show you the methodology to find this vulnerability at this scale uh mohan will take it from there yeah uh now now i'm going to discuss about the methodology we used uh in this whole research like you can see the flow flow chart here uh you can find all the stuff

we did during the whole research uh basically there are mainly two important parts parts in the whole research first one is fi detection which is finding the prototype pollution and second one is finding script gadgets we'll discuss more about the uh these two meta methods um in the coming slides uh now let's see the detection like uh what are the different stuff we did to direct a prototype pollution in bug bounty programs so initially we wrote a python script which basically takes the urls and checks if the checks if a prototype is polluted the basic idea is like it happens prototype pollution payload to the given url and if there is a vulnerable location parser uh uh it gets

polluted right so once it's polluted uh the python uses a selenium bot and checks if object dot prototype prototype is polluted if it's polluted uh it will send a notification to discord so basically uh that's how the like the python selenium script works uh the thing is like you are praying the p you are spraying the payload on the given url and praying for the proliferation to occur uh so the advantage of this of this method is like you can scale this up you can throw millions of domains to the python script and host the uh your instance on droplet uh dissolution droplet or aws instead and scan it for years uh i mean days it will

if it finds it will send a notification to you so that's uh advantage but the disadvantage is like it can only find vulnerable location passes because we are uh spraying the pollution and payload and hoping for uh pollution to occur like we are hoping for a like uh vulnerable location parser so uh it just sprays the payload and checks if the pollution is prototyping polluted so uh another issue with this method is like it can't scan authenticated pages because you give millions of domains to the given uh the script and uh so what happens is like you have you can't provide uh credentials of each and every website right so that's the issue with this uh

python scaling name script so to solve this issue uh what we did was like we created a chrome extension which um which you can think of it is like an exact port of the python script but in the chrome so it does same as the like uh this python selenium script but in the chrome so you can casually surf each and every website and if there is a vulnerable location for its parser it finds so the so the this thing has disadvantage like you can guess it like uh it is not scalable like the python selenium script you just throw the millions of domains list and it will scan for this for this you have to

manually surf each and every website right so that's the disadvantage uh as i said it has similar disadvantages like the selenium script it can only find vulnerable location parsers i mean the query parameters are the hash parameters of javascript uh so to solve this uh uh so as i said it just spray sprays the payload and hopes for the position to occur so we need a proper uh tool like a tool which can do program analysis like static analysis tool so that's where i used codical which is a same else static analysis tool it's now acquired by github so basically it's a cool tool like you can model your queries according to your node according

to your need and basically you have to model each and every instance of prototype pollution in the application and uh create the database and run the query on a given application so basically you have to download all the js files of the application so uh it's hard to scale this up this method too but the main advantage is like it can find all all prototype pollution in the given application so that's it about that detection uh you can maybe uh you can try new stuff do new stuff to improve the efficiency of these methods uh so that you can find new vulnerable uh applications in bug bounty programs because i really believe that there are

so many websites which are still vulnerable to this issue so basically so once you find the prototype pollution it's just not an impactful bug in the web application the the prototype pollution itself is not an impactful bug so you need something like a script gadget which can escalate the prototype pollution to uh cross-site scripting in the client-side application or uh uh remote code exhibition in the server side application so you need something called a scrap script gadget uh in case of uh in case of uh client side script gadget is a javascript sync trigger uh sync which can give it which can be triggered by a prototype pollution so i just shared an example here like there is a function

named hooks call it iterates over window.hooks object and uh it evaluates all the window.hooks properties so with the foreign for in notation uh it actually iterates over the given object and also iterates over the uh proto uh iterates over its prototype chain so it can if it finds any properties on its prototype chain it will also evolute so what happens if you can pollute a property in the middle so which means uh you got an across the scripting on the application so this same uh uh script gadget i used an elastic's uh product which i'll show you in the next case case study so this is called an script gadget so here hooks call is

golden script gadget uh in case of client-side client applications so this is a really interesting part in the whole research like you have to spend a good amount of time finding script gadgets in the given application uh it's a pretty hard like you need to like debug whole javascript all the time uh if you are lucky you can find uh a script gadget immediately using uh file descriptors and tester types our security ambi's wjs uh if you are not lucky you have to manually find it so i thought of creating a codequal query uh to manually find these uh script gauges but because of time because of some issues i left i left in the middle uh you can try this stuff

so this is about the like now we found the pollution on an application we found a script gadget we just reported to the program so they'll give bounty and all so one uh there is more we can do like you can store the vulnerable uh code like you you check which application which third party which led to the prototype pollution in the application and store it in a database and use this uh source code to search in uh like source code engine called publicw.com where you can set source source code so basically open you you paste the vulnerable code in that source code and it will find our alexa top thousand websites if if you are lucky you will find uh

a similar website using the same library uh that's it about uh identifying the vulnerable library like you store the store the code in the database and you can do some passive passive or finding like using burp regular expression section by passing mode or source code sets in public www.com yeah this is about a methodology part of this whole research like this is a different stuff we did during the whole research so now let's talk about the real bugs we found on applications like uh we found numerous works i just uh took three out of the three out of uh all these works and i am going to show about them like this one is like uh

at the time i uh i mean my beta card i was bored of studies and i uh so i went to a private program like which is my favorite and it it is a pretty java intensive program so what i did was like i uh i took the domains all the subdomains of the program and ran my selenium script and they didn't find anything so what i did was like uh i i believed that it definitely has prototype pollution because it is as i said it is a java intensive application and then what i did was like uh so it didn't as i said selenium script didn't find anything so i installed the my chrome extension and

scanned uh pages on top of my mind and it didn't find anything so i decided to use a static analysis tool which is codekill so what i did was like i created a python script which basically downloaded all the js files in the application and using this codequal command you can create the database from that javascript so you create a database and then i this is the query i wrote like uh uh like we're using the references from github.com for ql slash goodwill uh i wrote according to my need and i scanned the like uh under on its vulnerable db uh and it surprisingly it found only one uh prototype pollution uh basically uh we found this prototype pollution and uh

we took a week to find uh uh cross-site scripting on the up uh on that application because it's a pretty uh hard like we were able to like we took two days to convert the theory into prototype pollution and find a script gadget for two days and finally we were able to achieve access and we reported it and they paid us a 4k uh dollars for the bug so next case study is like this bug was found by harshan rahul which is a pretty interesting bug so um when i was when i thought like uh i had this idea of creating creating a chrome extension to scan authenticated pages so i created extension and my extension looks like

this and it reports when a prototype pollution is payload i think at the same day uh harsh and also thinking about uh i'm also collaborating with them and at the same day they also created extension which reports if it's fine if it finds a prototype pollution basically uh the the first website rahul visited uh which is apple.com showed it's vulnerable to prototype pollution and he was surprised so he didn't believe that he thought it's a false positive once he properly checked it and it it actually is an um true positive and they uh they found a script gadget and got a bypass somewhere and they were able to achieve uh prototype pollution so basically uh apple is using a third

party library called kanji sd param uh which is vulnerable to prototype pollution and uh rahul submitted the bug rahul under submitted the bug to uh github uh kenji s d param uh and apple they paid them six thousand dollars for the issue uh next one is uh like as i said uh we have a python selenium script right so what what it does like it scans the given urls and if it finds any prototype pollution it sends a uh notification to our discord uh server so one day for its entire notification which uh which is a product of elastics so it sent a notification saying that it found a prototype pollution and uh i immediately found a

script gadget and reported it to them and they paid us two thousand five hundred dollars uh as you can see i as i already told uh hooks call script gadget i speak uh i told uh i was speaking previously right this is the gadget like you can you can pollute any property it gets evaluated so that's uh that's the script gadget i used it here uh so let's see the results like we found a numerous application vulnerable to uh prototype pollution like uh we nearly found uh 18 libraries which are vulnerable to prototype pollution and we reported uh 80 uh 80 uh access to buy bug bounty programs and we collectively and 40 k thousand

dollars with this bug uh now uh hush will speak more about the mitigations part of this uh thanks mohan for going into details about methodology and uh results of the research so let's talk about the mitigations uh you can apply uh in your code basis to fix this vulnerability so first of all just remove the vulnerable vulnerable code so we have like like seen that there is no easy way to fix this vulnerability because there are a lot of bypasses there are like no clear uh ways to fix it so for example if you look at uh there are some common ways developers were using like we were reporting and they were fixing it using

these methods called uh freezing the object or prototype what it does it basically freeze and you cannot it any other property so freezing or ceiling or maybe object dot create null so this way you know the object won't have the prototype probably property all together so uh these were not enough we were able to bypass these fixes so if you want to go into the detail of you know finding way to uh like way around this uh check out our teammate blackfence uh talk uh walgar ctf and where he explained like how you can bypass these mitigations as well he went really deep into the mitigation part of it but uh yes at the top of my mind i can just say

just uh remove the one labor code or otherwise you can maybe use of object dot has on property and check if the you know the property you are taking is actually is actually belong to that object or not it will return a boolean value and then you can confirm using it uh now to the end of our uh talk what else you can do like there's a lot of has been done uh uh by our team and uh we are looking from uh other people to work on this because it's such an interesting attack surface and it's a very new attack surface uh so for example we were focusing on client-side prototype pollution for the

while uh but there's basically javascript script can be run on server side and uh with that it comes like this vulnerability can be explored on server side which basically means you can find vulnerabilities like sqli and rc using this so uh that's another great area of research and another thing is related to browsers though uh browsers are currently you know discussing ways to mitigate this vulnerability at browser level itself so there's this github discussion going on uh related to this mitigations uh and people like uh trying to come up with proper mitigation so maybe you can go into this mitigation part of uh like uh you know from from a browser site so yeah that's that's about

conclusion uh here are some amazing people who worked on this research with us and uh yeah a lot of uh great people give them a follow they they really put out good stuff on on the internet so yeah give them a follow and these are the other researchers who were like not actively contributing but uh it basically comes from their uh their own books like for if you see wc bowling he was the first person whose bug we found like on hacker when he reported the first prototype pollution that we spotted so that's where we got the trash from so these people are amazing just give them a follow yeah thanks and if anyone have any questions

related to this class or you know the methodology or anything just shoot it up yeah it's publicly available it's available on github yeah everything you can yeah like almost all the stuff we shown here is basically available via the blog or via the so visit github.com you can find many resources regarding this vulnerability thank you yeah so most of the script gadgets you see you don't have to find yourself like all our public and people are actively contributing that to that github paper so you can find those script gadgets as well the chrome extension as well so most of the part of the resource is already out in public uh yeah so i think it's started by this

collaboration so uh like like i said we spotted this hacker one vulnerability by wc bowling and uh at the same time i was you know talking with mohan and he was already started he has already started working on it so we just started collaborating on this work together and he had a like broader set of researchers who were already working on this so that's how we started then everyone has their unique ideas like you know like you said we were also making a chrome extension so we just put our old thoughts uh you know in one discord channel and that's how it went so it's generally collaboration like if you are hacking try to you know collaborate as

much as with people because maybe something you are you know making is already done by other and they may they may have an idea to improve it so generally collaboration that lead to this yeah thank you all for attending our talk