Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dangerous Design Patterns In One Line

197 views

Published on

This talk discusses Prototype Pollution, a well known code quality issue. This talk documents research conducted by Oliver Arteau on the topic and how certain APIs in JavaScript libraries are vulnerable to Prototype Pollution.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Dangerous Design Patterns In One Line

  1. 1. © 2017 Synopsys, Inc. 1 Dangerous Design Patterns in One Line An overview of Prototype Pollution @LewisArdern October 4, 2018
  2. 2. © 2017 Synopsys, Inc. 2 About Me • Sr. Security Consultant @ Synopsys Software Integrity Group (SIG) – Formerly Cigital • Prior to Cigital – B.Sc. in Computer Security and Ethical Hacking – Founder of the Leeds Ethical Hacking Society – Software Developer – Security Consultant • Synopsys – Historically all about hardware – SIG formed to tackle software – Team consisting of well-known organizations – BlackDuck – Coverity – Codenomicon – Cigital – Codiscope Lewis
  3. 3. © 2017 Synopsys, Inc. 3 Prototype Pollution • The concept of prototype pollution was coined many years ago – https://humanwhocodes.com/blog/2010/03/02/maintainable-javascript-dont-modify-objects-you-down- own/ – https://ponyfoo.com/articles/how-to-avoid-objectprototype-pollution • People tend to care about code quality • Lack of code quality can lead to security issues • Prototype pollution can even lead to remote code execution (RCE) – https://github.com/TryGhost/Ghost/commit/dcb2aa9ad4680c4477d042a9e66f470d8bcbae0f
  4. 4. © 2017 Synopsys, Inc. 4 Disclaimer https://media.giphy.com/media/12NUbkX6p4xOO4/giphy.gif
  5. 5. © 2017 Synopsys, Inc. 5 • Attacker can control at least the parameter “a” and “value”: General Concept
  6. 6. © 2017 Synopsys, Inc. 6 • Set “a” to “__proto__” and the property with the name defined by “b” will be defined on all existing objects (of the class of “obj”) with the value “value”. General Concept
  7. 7. © 2017 Synopsys, Inc. 7 • Research by Oliver Arteau – https://github.com/HoLyVieR/prototype-pollution-nsec18 – https://medium.com/intrinsic/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96 • Prototype Pollution can introduce security issues such as – Denial of Service (DOS) – For-loop pollution – Property Injection • Research identified issues with APIs/Libraries that perform: – Object recursive merge – Property definition by path – Object clone Prototype Pollution
  8. 8. © 2017 Synopsys, Inc. 8 Affected Libraries Merge Functions Property Definition By Path (Vulnerable By Design) Clone hoek pathval.setPathValue deap lodash lodash.setWith lodash.set merge dot-prop.set defaults-deep object-path.withInheritedProps.ensureExists merge-objects object-path.withInheritedProps.set assign-deep object-path.withInheritedProps.insert mixin-deep object-path.withInheritedProps.push deep-extend merge-options deap merge-recursive Green – Fixed Red - Still Vulnerable Orange – Issues By Design
  9. 9. © 2017 Synopsys, Inc. 9 General Concept • In Object recursive merge APIs – If the source object contains “__proto__” property defined with Object.defineProperty() – When the conditions pass, the merge will recurse with the target being the prototype of “Object” and the source can now be defined by the attacker – Attacker Properties will then be copied on the prototype of “Object”
  10. 10. © 2017 Synopsys, Inc. 10 Spot the Issue Issue
  11. 11. © 2017 Synopsys, Inc. 11 Demo: Capture The Flag Try it yourself Live Example: https://ie.amanvir.io/challenge/1 Source: https://gist.github.com/LewisArdern/db02e6c37b69c7cb4f1059dc9e536923
  12. 12. © 2017 Synopsys, Inc. 12 Detection • npm audit (https://docs.npmjs.com/cli/audit) does not detect issues with: –merge –merge-objects –deep-extend –merge-options –merge-recursive
  13. 13. © 2017 Synopsys, Inc. 13 Detection • Capture the use of dangerous functions with eslint –https://github.com/LewisArdern/eslint-plugin-prototype-pollution-security-rules –https://www.npmjs.com/package/eslint-plugin-prototype-pollution-security-rules
  14. 14. © 2017 Synopsys, Inc. 14 • Freeze The Prototype – https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/freeze – https://github.com/tc39/proposal-frozen-realms Remediation – Advice from Oliver
  15. 15. © 2017 Synopsys, Inc. 15 Remediation • Object.create(null) – https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create
  16. 16. © 2017 Synopsys, Inc. 16 Remediation • Perform Schema validation on JSON input – https://www.npmjs.com/package/ajv
  17. 17. © 2017 Synopsys, Inc. 17 Remediation • Use ES6 Map – https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map
  18. 18. Thank You

×