What is prototype pollution
Prototype pollution in jQuery
This constant chatter about prototype pollution attacks has also drawn the attention of Snyk, a company that provides source code scanning technology, and whose researchers were interested in documenting this new attack vector; Liran Tal, a Snyk security researcher, has told ZDNet in an interview earlier this week.
In a report published last week, Tal and the Snyk team described and released proof of concept code for a prototype pollution attack (CVE-2019-11358) impacting jQuery. To show how dangerous this vulnerability is, they showed how a prototype pollution flaw could allow attackers to assign themselves admin rights on a web app that uses jQuery code for its frontend.
Not easy to exploit
But the good news is that prototype pollution attacks are not mass-exploitable, as each exploit code must be fine-tuned for each target, individually. Prototype pollution flaws require that attackers have in-depth knowledge of how each website works with its object prototypes, and how these prototypes factor in the grand scheme of things.
Furthermore, some websites don’t use jQuery for any heavy lifting operations, but merely to animate a few menus and show some popups, here and there.
“Finding versions of the jQuery vulnerability for this exploit is not a hard task, but automating an actual exploitation for custom code that makes use of jQuery’s vulnerable API with regards to the prototype pollution would be more difficult,” Tal told ZDNet.
In addition, apps and websites that rely on closed source code are also safeguarded against some attacks, Tal told us.
“Exploiting server-side closed source code, which is not easy to access for investigation, does require a fair bit of research to find out how polluting a global object scope would affect an application, if prototype pollution is applicable at all in such cases,” the researcher said.
Nevertheless, in cases where jQuery is used for more complex operations, such as building full frontends or interacting with server-side systems, prototype pollution attacks can allow hackers a way into systems considered secure –an ideal bug for targeted attacks against high-value websites.
A huge attack surface
Today, most websites are still using the 1.x and 2.x branches of the jQuery library, which means that the vast majority of jQuery-based apps and websites are still open to attacks.
Taking into account that there’s some syntax breakage between the three major versions and that web developers would rather throw acid on their face than re-write their frontends, most websites are bound to continue to use older versions for the foreseeable future.
Fortunately, the patch has been backported to previous releases.
More prototype pollution attacks to come
In the meantime, the work to find and document more prototype pollution attacks continues at Snyk.
The company said it’s already aware of more than 20 prototype pollution attacks already, “spanning across browser and Node.js ecosystems,” and expects to see more.