Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Prototype pollution bug exposed Ember.js applications to XSS

A bug in Ember.js, a JavaScript framework for building Node.js web applications, allowed attackers to stage prototype pollution attacks against the host server.

Prototype pollution attacks take advantage of JavaScript’s dynamic property-assignment features to make global changes to critical objects. In the case of Ember.js, the prototype pollution vulnerability could potentially allow attackers to stage cross-site scripting (XSS) attacks and steal user information.

Untrusted input
Masato Kinugawa, the security researcher who discovered the bug, first caught sight of it during another investigation.

“In spring 2021, I noticed an XSS bug in one of the domains owned by Google, and I reported it through the Google Bug Bounty Program,” Kinugawa told The Daily Swig. “When investigating the details, I noticed that the root cause was in the Ember.js framework.”

According to Kinugawa’s findings, if an application passes unsanitized user input to some of the property-setting functions of Ember.js objects, it can lead to prototype pollution.

In essence, this means that the attacker can use the property function to traverse the object prototype and make changes to other parts of the JavaScript program, including the base object from which all other objects are derived.

The prototype pollution bug could potentially be chained with other vulnerabilities in the target application to carry out other malicious activities, including stealing credentials.

To abuse the flaw, an attacker would need a script gadget that accesses the vulnerable property setter. “In the case of Google’s bug, I was able to use a Google reCAPTCHA gadget because the app used the reCAPTCHA script,” Kinugawa explained.

Feature or bug?

The capability to make dynamic changes to object structures and prototypes is one of the features that make JavaScript flexible. However, this also creates a challenge for developers, who must make sure property changes avoid resulting in prototype pollution vulnerabilities, especially when the changes are coming through user input.

“While deep property chaining is an intended feature of these APIs, and passing untrusted input to them is ill-advised, we agree that this behavior is surprising enough to constitute an increased security risk,” Ember said in an advisory.

A new version of the framework explicitly prevents the previously vulnerable functions from making changes to the object prototype.

Prototype pollution bugs remain elusive as they are not well understood by developers. Kinugawa provided some hints on how software developers might find similar vulnerabilities in their programs and the libraries they use.

“In most cases that I’ve found, the [prototype] pollution happened when converting the URL parameters to JavaScript object,” Kinugawa said. “So, anyone trying to find this type of bug should be able to find it by looking carefully at the URL parameter handling.”

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/prototype-pollution-bug-exposed-ember-js-applications-to-xss

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO