PwnFunction – Code Pollution


JavaScript

Updated Jul 22nd, 2022

Source here

What is code pollution?

User sends a sequence of bash commands and get a shell on your machine. They achieve code execution. Example: Next JS App using the flat module vulnerable to Javascript Prototype Pollution.

Someone can potentially add a new malicious function to all the objects ever created with the class using its prototype.

someObject.proto.isAdmin = true

use snyks cli to run “snyk test” to scan a project and list out all of the known vulnerabilities in the project’s packages. (More on security.snyk.io)

What is the flat moduel used for? There is an unflatten method in which some users will unflatten query parameters. naive devs may also unflatten the request body or the query. Not a good idea at all!

What are gadgets? Existing code you can re-use or chain them together to get what you want. GSSP returns more than just props, including the notFound, and if you have code execution with prototype code pollution you can set this to a truthy value for all pages. WHo cares about sending poeple to the 404 page when there is a redirect option to send users to any link.

Amp conversion enabled on any page, debuggin the author came across “runInContex”t method which leads to Node JS VM Module. String execution in given context. Looking at the stack trace to ultimately find the Object/Class to pollute a default link value to whatever he wants.

What is the assert method in JS?

The assert() method tests if a given expression is true or not

15:45 mark is a summary and escaping out of a sandbox to execute any code you want outside of the sandbox. Similar to the “eval” function in Node JS – Next JS middleware told me eval is suspect.

How to protect against this? This is not a Next JS vulnerability it is a vulnerability in the flat module and if your project uses that then it does become vulnerable. Pick modules carefully. Other tips from the snyk website:

You can freeze objects if you know they are not going to change. Create objects that have null prototypes. Require schema validation of JSON input.