(no title)
brasetvik | 3 years ago
Java has its “gadget chain” class of vulnerabilities, where the presence of certain jars can turn object deserialisation into RCEs. I’d argue that Javascript has “pollution gadgets”.
Some years ago I struggled making lodash – which almost any non-trivially sized Javascript project has at least a transitive dependency on (possibly multiple versions of) – fix its “gadget” in its template function. It’s since been patched, and the conversation unfortunately deleted - https://github.com/lodash/lodash/pull/4518
Here’s two real world examples of turning a prototype pollution into an RCE: https://hackerone.com/reports/852613 and https://hackerone.com/reports/861744
(If you’re unfamiliar with prototype pollution: This is possibly a security bug in Javascript: `obj[a][b] = c` if a user controls a, b and c.)
black3r|3 years ago
Not to mention that I've seen a couple of cases where the user isn't really able to control a, b & c, or like the one I mentioned, where it's just `obj[a] = b`, where both are controllable by the user, but `b` can't be an object (it's either null, true, false, or a string), so it shouldn't be exploitable at all, yet it still scored a severity of 9.8/10...
I'm not saying we should completely ignore bug reports of these types just because there's lot of noise among them, just that when a CVE is filed with a critical severity and without a PoC exploit, someone should verify that the reported scoring is sensible before millions of developers using supply chain auditing tools get annoyed with a false positive...