Unsanitized user input risk spotted in JavaScript framework

A bug in Ember.js - a JavaScript framework for building Node.js web applications - created a prototype pollution vulnerability

A bug in Ember.js, a JavaScript framework for building Node.js web applications, allowed attackers to stage prototype pollution attacks against the host server.

Prototype pollution attacks take advantage of JavaScript’s dynamic property-assignment features to make global changes to critical objects. In the case of Ember.js, the prototype pollution vulnerability could potentially allow attackers to stage cross-site scripting (XSS) attacks and steal user information.

Untrusted input

Masato Kinugawa, the security researcher who discovered the bug, first caught sight of it during another investigation.

“In spring 2021, I noticed an XSS bug in one of the domains owned by Google, and I reported it through the Google Bug Bounty Program,” Kinugawa told The Daily Swig. “When investigating the details, I noticed that the root cause was in the Ember.js framework.”

According to Kinugawa’s findings, if an application passes unsanitized user input to some of the property-setting functions of Ember.js objects, it can lead to prototype pollution.

RELATED Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

In essence, this means that the attacker can use the property function to traverse the object prototype and make changes to other parts of the JavaScript program, including the base object from which all other objects are derived.

The prototype pollution bug could potentially be chained with other vulnerabilities in the target application to carry out other malicious activities, including stealing credentials.

To abuse the flaw, an attacker would need a script gadget that accesses the vulnerable property setter. “In the case of Google's bug, I was able to use a Google reCAPTCHA gadget because the app used the reCAPTCHA script,” Kinugawa explained.

Feature or bug?

The capability to make dynamic changes to object structures and prototypes is one of the features that make JavaScript flexible. However, this also creates a challenge for developers, who must make sure property changes avoid resulting in prototype pollution vulnerabilities, especially when the changes are coming through user input.

“While deep property chaining is an intended feature of these APIs, and passing untrusted input to them is ill-advised, we agree that this behavior is surprising enough to constitute an increased security risk,” Ember said in an advisory.

A new version of the framework explicitly prevents the previously vulnerable functions from making changes to the object prototype.

Prototype pollution bugs remain elusive as they are not well understood by developers. Kinugawa provided some hints on how software developers might find similar vulnerabilities in their programs and the libraries they use.

“In most cases that I've found, the [prototype] pollution happened when converting the URL parameters to JavaScript object,” Kinugawa said. “So, anyone trying to find this type of bug should be able to find it by looking carefully at the URL parameter handling.”

RELATED React-based open source framework Gatsby patches SSRF, XSS bugs in Cloud Image CDN