Context
JavaScript runtimes exist since 2009, with the introduction of Node.js, making it the first choice of full stack development for the web. The language is prototype-driven, and this means that objects inherit properties from a common ancestor. An attacker can exploit this behavior for malicious purposes, performing prototype pollution.
Fondamental Node.js libraries found to be vulnerable to PP:
- lodash (2023)
- vm2 (2023)
Contributions
- vulnerability review that test state-of-the-art mitigation tools
- analysis of the reasons why these tools are not good enough
- proposing a new dynamic fuzzer, tested on 60k real Node.js packages
- 65 previously unknown zero days vulnerabilities were found (6 CVE received)
Approach
- Investigate the current progress of prototype pollution research
- Focus on dynamic fuzzing
Results
- DF can only discover 90 vulnerabilities out of the 293 in total
- ObjL can just detect 152
- state-of-the-art solutions cannot cover most of the historical vulnerabilities disclosed to the public