Technique is exploitable at scale because it’s so overlooked, speculate researchers

More than 1,000 popular websites and 18 widely used JavaScript libraries are vulnerable to prototype pollution, an obscure attack technique that targets the structure of JavaScript objects, according to security researchers.

A study, led by researchers ‘s1r1us’ and ‘BlackFan’, documented vulnerabilities found in Apple.com, Jira Service Management, HubSpot Analytics, Segment Analytics, and the websites of several undisclosed companies, netting them a collective $40,000 in bug bounties.

“Throughout our research period, we have reported this kind of vulnerability to a lot of renowned companies,” the research duo told The Daily Swig.

In total they reported around 80 bugs to vulnerability disclosure programs.

JavaScript trade-off

JavaScript, the language of the front-end web, allows developers to dynamically change the properties and functions of objects, the basic construct of a program.

But this flexibility comes with a trade-off: if the programmers are not careful, malicious actors can use security holes in their application to inject malicious code into their objects’ prototypes.


BACKGROUND Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications


Tools and techniques for finding prototype pollution

Key attack vectors for prototype pollution include user input fields and query parameters passed on to websites. If a site’s JavaScript code iterates through query parameters without sanitizing them, then it might end up running commands that change the object prototype.

The researchers wrote a bot that “runs on a huge subdomains database” and looks for JavaScript code patterns that are vulnerable to prototype pollution. They also developed a browser extension called PPScan that provides similar functionality while running in the background.

And they found ways to zero in on the line of code where the prototype pollution vulnerability kicked into action. For this, they used a combination of browser developer functionalities and search patterns.

Finally, they used tools to find ‘script gadgets’: legitimate fragments of JavaScript code that can be exploited through prototype pollution to stage cross-site scripting (XSS) attacks.

Neglected research area

While the research duo believe the vulnerabilities were not necessarily the result of bad coding practices, they are worried that prototype pollution is being neglected.


Read more of the latest JavaScript security news


“When we look at the pitfalls of JavaScript or secure coding practices for JavaScript, we don’t find many references about prototype pollution and we think that’s the reason it’s exploitable at this scale,” the researchers said.

“We hope our blog gives more light to this attack surface and helps people mitigate these issues at scale with the provided information.”

Team effort

s1r1us and BlackFan enlisted the support of 13 other researchers with expertise in the field who helped in developing the right tools for the task. With prototype pollution defense still an underdeveloped space, this proved crucial.

“Having a group of skilled people can be helpful when conducting large-scale research,” they explained. “Every one of the researchers brought something new to the research. No wonder we are doing this research for over a year.

“Having people around you still poking at things without being demotivated can be very encouraging. Also, needless to say, you get to learn a ton.”


YOU MIGHT ALSO LIKE Malicious hackers are exploiting known vulnerabilities because organizations aren’t quick enough to patch – report