Dasty : Revealing Real-World Prototype Pollution Consequences with Dynamic Taint Analysis

Sammanfattning: Prototype pollution is a vulnerability in JavaScript and other prototype-based languages that allows malicious actors to inject a property into an object’s prototype. The injected property can subsequently trigger gadgets - source code sections that use the properties in sensitive locations. Gadgets can lead to various exploits, including denial-of-service, data exfiltration, and arbitrary code execution (ACE). Current research focuses primarily on the detection of pollution, while only a few discuss gadget detection. Those that do either propose detection solutions for browser-side applications or selected frameworks. This thesis aims to answer how prototype pollution affects modern server-side applications built on the Node.js framework. We propose a system that can automatically detect potential prototype pollution gadgets in Node.js applications. We utilize dynamic taint tracking to find flows from polluted prototypes to exploitable functions. Our system consists of multiple distinct runs. A first run analyzes a program without changing the control-flow to avoid premature termination through exceptions and program crashes. In subsequent runs, the system selectively changes conditionals to increase coverage. Based on our methodology, we implement Dasty, a performant dynamic taint analysis for prototype pollution gadgets built on NodeProf and the Truffle Instrumentation Framework. Dasty can automatically analyze third-party packages by utilizing their test suites. We use our implementation to analyze the 5000 most depended upon npm packages and verify the resulting flows systematically, focusing on ACE and similar high-profile vulnerabilities. Through the analysis, we identify 16 new gadgets in packages used by thousands of applications. Our results suggest that prototype pollution can lead to serious security issues in many modern applications.