A team made up of security researchers from the Georgia Institute of Technology has found a way to exploit Node.js applications by manipulating the hidden properties used to track internal program states, the group plans to announce at the virtual Black Hat USA security conference next week.
The novel attack technique, dubbed Hidden Property Abusing, allows a remote attacker to inject new values into Node.js programs through passing objects that the framework, under the right circumstances, will treat as internal data. Using a tool to analyze a sample of 60 major Node.js components, the researchers found 13 vulnerabilities — ranging from SQL injection to the ability to bypass input validation. The tool, dubbed Lynx, will be released at during the virtual Black Hat USA security conference, says Feng Xiao, the primary researcher and a doctoral student in the School of Computer Science at Georgia Tech. "Our attacks focuses on certain program states or properties defined by the developers, such as the user ID or other program features," he says. "We found that this attack pattern is pretty common, but they can be complex to find, so we built the tool to help others."
Hidden Property Abusing takes advantage of developers' assumption that the internal program states are unreachable by an external attacker. The root cause of the problem is that "[a]fter the input data is converted to objects, Node.js treats them as legitimate objects like any other internal ones," the researchers state in a yet-to-be-published paper on the topic. The attack technique is similar to JavaScript Prototype Pollution, in which an attacker modifies a prototype object that is then merged, changing the base prototype of an object — changes that are then propagated to other JavaScript objects based on that prototype. In the case of Hidden Property Abusing, however, the prototype is not changed, but the properties inherited from a prototype can be overwritten, the researchers say.
