Context
JavaScript is consistently one of the most widely used programming languages in the history of web development and modern web applications. It is used:
- client side to create web pages in the browser
- server side using a backend runtime (Node.js)
- cross-platform application with Electron or React Native (mobile app)
Reusing objects in JS is part of the reasons of its success, but this also comes with issues such as prototype pollution
Approach
A multivocal literature review that consider both grey literature and formal papers
Results
RQ1: what is prototype pollution and what is its impact? A prototype pollution attack compromises JavaScript runtimes by injecting code. It is possible for an attacker to create or modify a prototype that is shared between multiple objects in the case of a successful campaign. In this way, all objects reflect the modification, even if they are in a completely different scope.
**RQ2: what are the prototype pollution cases and how organizations respond Significant cases are known but organizations do not prioritize solving this problem because dangerous attacks take time and effort to be executed. Other vulnerabilities were patched. An advisory database of related CVEs is maintained by GitHub
**RQ3: what are current practices to detect and mitigate the problem
- static analysis is challenging to use. The injection cannot be identified by parsing the code. Analyzing special data flow is required
- Node.js semi-automatic analysis have been proposed
- A tool called SECBENCH.JS have been proposed. It runs both static and dynamic analysis to detect vulnerable packages
- DAPP is a static analyzer to detect prototype pollution. It constructs and evaluates AST (Abstract Syntax Tree), CFG (Control Flow Graph) and Data Flow Analysis (DFA)
- Object Lookup Analysis (ObjLupAnsys) is another tool to detect prototype pollution vulnerability in Node.js package
- Using
Object.freeze()can mitigate the issue - Using
Lodashlibrary to implement input filtering