Assessing the Impact of Script Gadgets on CSP at Scale

Roth, Sebastian; Backes, Michael; Stock, Ben

doi:10.1145/3320269.3372201

Cited by 7 publications

(2 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recently, Lekies et al [29] discuss how script gadgets can be used to bypass existing cross-site scripting mitigation. Roth et al [40] further study the effect of script gadgets on content security policies. Steffens and Stock [46] present PMForce, a lightweight dynamic analysis augmented with forced execution for studying post message handlers.…”

Section: Nodejs Ecosystem Securitymentioning

confidence: 99%

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Shcherbakov¹,

Balliu²,

Staicu³

2022

Preprint

View full text Add to dashboard Cite

Prototype pollution is a dangerous vulnerability affecting prototype-based languages like JavaScript and the Node.js platform. It refers to the ability of an attacker to inject properties into an object's root prototype at runtime and subsequently trigger the execution of legitimate code gadgets that access these properties on the object's prototype, leading to attacks such as DoS, privilege escalation, and remote code execution (RCE). While there is anecdotal evidence that prototype pollution leads to RCE, current research does not tackle the challenge of gadget detection, thus only showing feasibility of DoS attacks against Node.js libraries.In this paper, we set out to study the problem in a holistic way, from the detection of prototype pollution to detection of gadgets, with the ambitious goal of finding end-to-end exploits beyond DoS, in full-fledged Node.js applications. We build the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets, notably, by analyzing the Node.js source code. We implement our framework on top of GitHub's static analysis framework CodeQL to find 11 universal gadgets in core Node.js APIs, leading to code execution. Furthermore, we use our methodology in a study of 15 popular Node.js applications to identify prototype pollutions and gadgets. We manually exploit RCE in two high-profile applications. Our results provide alarming evidence that prototype pollution in combination with powerful universal gadgets lead to RCE in Node.js.

show abstract

Section: Nodejs Ecosystem Securitymentioning

confidence: 99%

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

Shcherbakov¹,

Balliu²,

Staicu³

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…In addition to measuring CSP adoption and bypasses, Pan et al [26] proposed to automatically curate CSPs from observed scripts. Similarly, Roth et al [27] relied on automated CSP generation through observed scripts to assess the dangers of gadget-enabling libraries that are co-hosted with benign, required JavaScript. Eriksson and Sabelfeld [12] proposed Au-toNav, a tool capable of automatically curating navigate-to directives for CSP.…”

Section: Cspmentioning

confidence: 99%