We can safely say that the Internet and the World Wide Web today will not be possible without the use of a scripting language that most people often overlook, Javascript. Whether we like it or not, JavaScript made the web as interactive, usable and convenient to use, in fact disabling scripting will break the functionality of most sites, except the simplest ones. Unfortunately, due to the dependence of JavaScript, it became an attack surface for many exploits.
One such exploit is the pollution flaw in jQuery JavaScript Library, which existed for decades until its recent discovery. Documented under CVE-2019-11358 by Snyk.io, affecting jQuery, a universal cross-platform JavaScript library that has a 97% market share compared to its competitors. A prototype variant of the attack was first demonstrated publicly in last year’s NorthSec 2018 convention, but it only took a few months to discover public pollution exploits happening against vulnerable web servers.
“Many of these prototype pollution vulnerabilities have been reported by Olivier Arteau, also known as HoLyVieR, via a responsible security disclosure for the HackerOne program that the Node.js Security WG runs in order to provide incident response and to handle security issues that affect the larger JavaScript ecosystem. Oliver has also released a detailed vulnerability report on the impact of prototype pollution and presented a real-world case of this vulnerability affecting the Ghost CMS Node.js project in the NorthSec conference,” explained Liran Tal, Developer Advocate at Snyk & Node.js Foundation Security Working Group.
Fortunately, it is an exploit that is not easy to utilize, as the attack can only be used on a certain target. The target also needs to fall in a certain parameter where the exploit can be successful, given the variety of permission provided by web developers on certain JavaScript on their respective website.
“Finding versions of the jQuery vulnerability for this exploit is not a hard task, but automating an actual exploitation for custom code that makes use of jQuery’s vulnerable API with regards to the prototype pollution would be more difficult. Exploiting server-side closed source code, which is not easy to access for investigation, does require a fair bit of research to find out how polluting a global object scope would affect an application, if prototype pollution is applicable at all in such cases,” added Tal.
The obligation falls on web developers, as they need to stop using old versions of jQuery. Just like any other software, jQuery developers continue to issue patches in order to plug security holes that attackers used to penetrate an otherwise secure website. For the pollution attack, jQuery developers even went out of their way to issue backport patch for old version of jQuery library. This is to cover all websites that are using even an old version of jQuery, even version 1.0 that is considered as ancient in the case of any web development-related software.
For those that cannot apply the patches for one reason or another, the jQuery team also provided the following mitigation strategies in order to prevent 3rd parties to exploit the bug: (Direct quote from Snyk.io)
- Ensure you are using safe recursive merge implementations.
- Consider creating objects without a prototype, such as Object.create(null) to avoid them being susceptible to prototype pollution attacks.
- Avoid using square bracket notation when working with user-controlled data, and at all if possible. Consider using the Map language primitive for map-based structures.
Related Resources:
How to Protect Your Website From a Cyber Attack