Detecting Node.js prototype pollution vulnerabilities via object lookup analysis

“…First, in contrast to standard taint analysis, injection sinks cannot be identified syntactically as they require specialized data flow analysis that record accesses to object properties, as illustrated by the blue dotted line. The analysis should identify attacker-controlled inputs that allow to control the prototype object, followed by uses 2: Universal gadget in Node.js standard library of this prototype object as a receiver in a property assignment [31]. Second, the analysis should handle language constructs such as loops and model the JavaScript built-in functions, e.g., shift() to correctly propagate data flows.…”

“…Third, given the size of the targeted codebases, the analysis should be scalable, seeking the sweet spot between precision and recall. While prior work achieves high precision, it reports low recall, thus increasing the possibility to miss flaws in real applications [31,32]. These requirements lead us to our first research question: How to design and implement a scalable static analysis that effectively identifies prototype pollution in real-world libraries and applications?…”

“…Its package management system, npm, is the world's largest software repository with millions of packages. Researchers have studied this ecosystem extensively to discover several security risks [13,19,31,[43][44][45]49],…”

“…This vulnerability was first introduced by Arteau [11], showing that it is a widespread problem in Node.js libraries. Recently, Li et al [31,32] present a static analysis technique for detecting prototype pollution vulnerabilities using object property graphs.…”

“…The few prior works [25,27,31,32,49] on prototype pollution consider a successful attack any mutation of the root prototype. An immediate consequence of such mutations is denial of service due to the overwriting of important builtin APIs, e.g., toString.…”

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

“…First, in contrast to standard taint analysis, injection sinks cannot be identified syntactically as they require specialized data flow analysis that record accesses to object properties, as illustrated by the blue dotted line. The analysis should identify attacker-controlled inputs that allow to control the prototype object, followed by uses 2: Universal gadget in Node.js standard library of this prototype object as a receiver in a property assignment [31]. Second, the analysis should handle language constructs such as loops and model the JavaScript built-in functions, e.g., shift() to correctly propagate data flows.…”

“…Third, given the size of the targeted codebases, the analysis should be scalable, seeking the sweet spot between precision and recall. While prior work achieves high precision, it reports low recall, thus increasing the possibility to miss flaws in real applications [31,32]. These requirements lead us to our first research question: How to design and implement a scalable static analysis that effectively identifies prototype pollution in real-world libraries and applications?…”

“…Its package management system, npm, is the world's largest software repository with millions of packages. Researchers have studied this ecosystem extensively to discover several security risks [13,19,31,[43][44][45]49],…”

“…This vulnerability was first introduced by Arteau [11], showing that it is a widespread problem in Node.js libraries. Recently, Li et al [31,32] present a static analysis technique for detecting prototype pollution vulnerabilities using object property graphs.…”

“…The few prior works [25,27,31,32,49] on prototype pollution consider a successful attack any mutation of the root prototype. An immediate consequence of such mutations is denial of service due to the overwriting of important builtin APIs, e.g., toString.…”

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

A Review of Code Vulnerability Detection Techniques Based on Static Analysis

Stubbifier: debloating dynamic server-side JavaScript applications