Millions of developers use JavaScript to build websites and mobile apps, making it one of the most popular programming languages in the world. But according to Johns Hopkins researchers, thousands of JavaScript websites are vulnerable to a security flaw that could result in manipulating the site’s URL or stealing a user’s profile information.
Known as prototype pollution, the flaw allows attackers to modify, or “pollute,” a prototype, which is a built-in property of a JavaScript object. An attacker who manages to alter a JavaScript object prototype can execute a variety of malicious actions.
With a framework they call ProbeTheProto, researchers from the Johns Hopkins Information Security Institute analyzed one million websites running on JavaScript and found that more than 2,700 websites—some of them the most visited in the world—had multiple flaws that could expose them to prototype pollution.
Ten of the sites were among the top 1,000 most visited websites of the year, including Weebly.com, CNET.com, and McKinsey.com.
“Only recently have researchers started looking closely at prototype pollution and realizing it’s a matter of great concern,” said cybersecurity expert Yinzhi Cao, an assistant professor of computer science in the Johns Hopkins Whiting School of Engineering. “Many in the developer community may not be aware that prototype pollution vulnerabilities can have severe consequences.”
In Javascript, an object is a collection of related data or functionality; for example, a user account object may contain such data as usernames, passwords, and e-mail addresses. Once an attacker makes a change to an object prototype, it will affect how the object works throughout the entire application and opens the door for more serious vulnerabilities, Cao adds.
He and his team set out to the study this snowball effect using dynamic taint analysis, a method in which inputs to the application are labeled with a special “tainted” marker and the researchers observe how the tainted data propagates through the program. If the marker is still there at the program’s output, the researchers know that the application is vulnerable to exploitable input attacks that could lead to some unplanned action.
“Imagine a very long pipe in a big black box and I want to know whether Points A and B are connected. If they are, I can put some toxic liquid at Point A to attack Point B. What we do is to drop a bit of red dye in the water at Point A and then observe the water color at Point B. If I can see Point B is also red, I know A and B are connected and then we can launch attacks,” Cao said.
The researchers identified three major input attacks that can be caused by prototype pollution: cross-site scripting (XSS), cookie manipulation, and URL manipulation. Such vulnerabilities on public websites provide ample opportunities for cyber criminals to hijack passwords and install malware, among other nefarious activities.
Cao says that researchers have a responsibility to report prototype pollution vulnerabilities to website owners and even recommend the best patch for their code. Thanks to Cao’s team sounding the alarm, so far 293 vulnerabilities have already been fixed by developers.
“Organizations don’t even know these vulnerabilities exist. Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks. And we’ve found that many developers are happy that we are helping them stay ahead of cybersecurity threats,” Cao said.
Computer science graduate students Zifeng Kang and Song Li contributed to the research. The team members will present their paper “Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites,” at the Network & Distributed System Security Symposium, April 24-28 in San Diego.