What is a prototype of pollution?
Prototype of contamination in jQuery.
This constant talk about prototypes of contamination attacks has also caught the attention of Snyk, a company that provides source code scanning technology, and whose researchers were interested in documenting this new attack vector; Liran Tal, a security researcher from Snyk, has said ZDNet In an interview earlier this week.
in a report published last week, Tal and the Snyk team described and published the proof of concept code for a prototype of pollution attack (CVE-2019-11358) impacting jQuery. To show how dangerous this vulnerability is, they showed how a prototype contamination flaw could allow attackers to assign administrator rights to a web application that uses the jQuery code for its interface.
It is not easy to exploit
But the good news is that prototypes of pollution attacks are not exploitable en masse, since each exploitation code must be adjusted for each objective, individually. The flaws of prototypes against contamination require that attackers have a deep understanding of how each website works with its prototypes of objects, and how these prototypes are a factor in the grand scheme of things.
In addition, some websites do not use jQuery for any heavy lifting operations, but simply to animate some menus and display some pop-up windows, here and there.
"Finding versions of the jQuery vulnerability for this vulnerability is not a difficult task, but automating a real exploitation for the custom code that makes use of the vulnerable jQuery API with respect to prototype contamination would be more difficult," Tal said. ZDNet.
In addition, applications and websites that are based on closed source code are also protected against some attacks, Tal told us.
"The exploitation of the closed source server-side source, which is not easy to access for research, requires a little research to find out how contamination of a global object could affect an application, if the prototype contamination is applicable at all. the cases, "said the researcher.
However, in cases where jQuery is used for more complex operations, such as the creation of complete interfaces or interaction with server-side systems, prototype contamination attacks can allow hackers to access systems considered safe: ideal error for targeted attacks against high-value websites
A huge attack surface.
Today, most websites still use the 1.x and 2.x branches of the jQuery library, which means that the vast majority of applications and jQuery-based websites are still open to attack.
Considering that there is a break in the syntax between the three major versions and that web developers would prefer to throw them acid instead of rewriting their frontends, most websites will continue to use previous versions in the immediate future.
Fortunately, the patch has been backported to previous releases.
More prototypes of pollution attacks to come.
Meanwhile, the work to find and document more prototypes of contamination attacks continues in Snyk.
The company said it is already aware of more than 20 prototypes of contamination attacks, "that extend through the ecosystem of the browser and Node.js," and hopes to see more.