A team made up of security researchers from the Georgia Institute of Technology has found a way to exploit Node.js applications by manipulating the hidden properties used to track internal program states, the group plans to announce at the virtual Black Hat USA security conference next week.
The novel attack technique, dubbed Hidden Property Abusing, allows a remote attacker to inject new values into Node.js programs through passing objects that the framework, under the right circumstances, will treat as internal data. Using a tool to analyze a sample of 60 major Node.js components, the researchers found 13 vulnerabilities — ranging from SQL injection to the ability to bypass input validation. The tool, dubbed Lynx, will be released at during the virtual Black Hat USA security conference, says Feng Xiao, the primary researcher and a doctoral student in the School of Computer Science at Georgia Tech. "Our attacks focuses on certain program states or properties defined by the developers, such as the user ID or other program features," he says. "We found that this attack pattern is pretty common, but they can be complex to find, so we built the tool to help others."
A team of researchers from Georgia Tech find a new attack technique that targets properties in Node.js and plan to publicly release a tool that has already identified 13 new vulnerabilities.