Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Prototype pollution vulnerabilities rife among high-traffic websites, study finds

More than 1,000 popular websites and 18 widely used JavaScript libraries are vulnerable to prototype pollution, an obscure attack technique that targets the structure of JavaScript objects, according to security researchers.

study, led by researchers ‘s1r1us’ and ‘BlackFan’, documented vulnerabilities found in Apple.com, Jira Service Management, HubSpot Analytics, Segment Analytics, and an undisclosed company, together netting them $12,600 in bug bounties.

“Throughout our research period, we have reported this kind of vulnerability to a lot of renowned companies,” the research duo told The Daily Swig.

In total they reported around 80 bugs to vulnerability disclosure programs.

JavaScript trade-off

JavaScript, the language of the front-end web, allows developers to dynamically change the properties and functions of objects, the basic construct of a program.

But this flexibility comes with a trade-off: if the programmers are not careful, malicious actors can use security holes in their application to inject malicious code into their objects’ prototypes.

Tools and techniques for finding prototype pollution

Key attack vectors for prototype pollution include user input fields and query parameters passed on to websites. If a site’s JavaScript code iterates through query parameters without sanitizing them, then it might end up running commands that change the object prototype.

The researchers wrote a bot that “runs on a huge subdomains database” and looks for JavaScript code patterns that are vulnerable to prototype pollution. They also developed a browser extension called PPScan that provides similar functionality while running in the background.

And they found ways to zero in on the line of code where the prototype pollution vulnerability kicked into action. For this, they used a combination of browser developer functionalities and search patterns.

Finally, they used tools to find ‘script gadgets’: legitimate fragments of JavaScript code that can be exploited through prototype pollution to stage cross-site scripting (XSS) attacks.

Neglected research area

While the research duo believe the vulnerabilities were not necessarily the result of bad coding practices, they are worried that prototype pollution is being neglected.

“When we look at the pitfalls of JavaScript or secure coding practices for JavaScript, we don’t find many references about prototype pollution and we think that’s the reason it’s exploitable at this scale,” the researchers said.

“We hope our blog gives more light to this attack surface and helps people mitigate these issues at scale with the provided information.”

Team effort

s1r1us and BlackFan enlisted the support of 13 other researchers with expertise in the field who helped in developing the right tools for the task. With prototype pollution defense still an underdeveloped space, this proved crucial.

“Having a group of skilled people can be helpful when conducting large-scale research,” they explained. “Every one of the researchers brought something new to the research. No wonder we are doing this research for over a year.

Advertisement. Scroll to continue reading.

“Having people around you still poking at things without being demotivated can be very encouraging. Also, needless to say, you get to learn a ton.”

Source: https://portswigger.net/daily-swig/prototype-pollution-vulnerabilities-rife-among-high-traffic-websites-study-finds

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO