Video details

USENIX Security '21 - Abusing Hidden Properties to Attack the Node.js Ecosystem


USENIX Security '21 - Abusing Hidden Properties to Attack the Node.js Ecosystem
Feng Xiao, Georgia Tech; Jianwei Huang, Texas A&M University; Yichang Xiong, Independent Researcher; Guangliang Yang, Georgia Tech; Hong Hu, Penn State University; Guofei Gu, Texas A&M University; Wenke Lee, Georgia Tech
Nowadays, Node.js has been widely used in the development of server-side and desktop programs (e.g., Skype), with its cross-platform and high-performance execution environment of JavaScript. In past years, it has been reported other dynamic programming languages (e.g., PHP and Ruby) are unsafe on sharing objects. However, this security risk is not well studied and understood in JavaScript and Node.js programs.
In this paper, we fill the gap by conducting the first systematic study on the communication process between client- and server-side code in Node.js programs. We extensively identify several new vulnerabilities in popular Node.js programs. To demonstrate their security implications, we design and develop a novel feasible attack, named hidden property abusing (HPA). Our further analysis shows HPA attacks are subtly different from existing findings regarding exploitation and attack effects. Through HPA attacks, a remote web attacker may obtain dangerous abilities, such as stealing confidential data, bypassing security checks, and launching DoS (Denial of Service) attacks.
To help Node.js developers vet their programs against HPA, we design a novel vulnerability detection and verification tool, named Lynx, that utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. We apply Lynx on a set of widely-used Node.js programs and identify 15 previously unknown vulnerabilities. We have reported all of our findings to the Node.js community. 10 of them have been assigned with CVE, and 8 of them are rated as "Critical'" or "High" severity. This indicates HPA attacks can cause serious security threats.
View the full USENIX Security '21 Program at


Hi, everyone. Welcome to our top. I'm fun she from Dog Tech. Today I'm going to talk about some interesting new vulnerabilities in Node JS ecosystem. The talk will power three parts. First, I will introduce the technical details of the attack, then I will talk more about the back finding part in which we build JavaScript program analyze source to automatically detect the new realities. In the last part, I will give an impact analysis on the new risk and some evaluation data about our tools. First of all, let's have some background information. No JS is for executing JavaScript code outside of browsers. The diagram on the right is an overall system diagram of Node GS to satisfy the needs of suicide scenarios. The runtime provides a set of core modules to let JavaScript interact with the host environment. Nowadays, many websites are deployed on or the GS. For example, dogs are intensively used in companies like PayPal and Linking for these applications. Packing communication data into object representations like Jason is a very common feature. This feature is convenient because with the help of this feature, not just applications can stand and receive complex data structures from the monthly download statistic. On the right. We can have a sense of how object sharing has been supported and used in the knowledge as ecosystem. However, the convenient object sharing introduced at Noble Risk, which we call hidden property, abusing HPA effectively injects additional properties during the object sharing and thus attack the critical internal program States. In fact, we call those additional properties as hidden properties because they are kind of like hidden parameters to the endpoint user API. These parameters are associated with certain internal program stays, but nobody knows the existence until an attacker launches HPA to attack them in the top, we mainly focus on the server side scenarios where a remote attacker wants to attack on no GS Web applications or sub microservices. Before we go into the details, let's just grab some conceptual information about the attack. Hpa identifies CWE 915 risks in those J, which is about improper modification of dynamic object attributes. Although search risks has been identified in some dynamic languages such as Ruby and PHP, we are the first to identify them in Node JS. Moreover, we find HPA differs from existing Water bilities in marital aspect, taking math on Simon for Durability as an example meter Simon is also a CWE 19 issue in Ruby. However, in massive silence, the attacker does not pass objects into the program like we did in HPA. Instead, the attacker abuses of platform specific feature to modify the certain existing objects during the assignment operation. Also, the payloads are different. Massive Simon payloads are literal value. However, HPA payload can be either literal value or nested objects. More importantly, Ruby is a strongly Typed language, so the massive signment vulnerability cannot introduce new properties to the work victim objects. However, HPA can inject Batory properties, which make HPA more flexible and powerful to illustrate attack details. We've used our real world one abilities we found from Routing Controller, our popular Web framework. We will attack this official code to demonstrate an end to and exploit from the security check by panting to cycle injection. So the first step is hidden properly. Injection where the malicious users include an additional property during the lobby of education procedure as showing the diagram, the attacker passes additional property named constructor. In the second step, the program will pass the input object. More specifically, the Solar program will perform a merge operation. The operation is carried out by putting every property of the Tavern object into the scammer object after the operation as showing the diagram. The hidden property is also propagating to the Scammer. Actually, the scalar object defines the input data format restriction, which is a critical data structure for the upcoming input validation. It is worth noting that this much operation does not result in prototype pollution. Instead, we only insert or conflicting them properly to the object at showing the green box the real property, the real product is not affected. Please refer to our paper for more discussion about prototype with such an insertion. When the function validates, one want to look up format information from the construction. It in fact reads our injected property rather than the real construction. To bypass the input validation, we just need to set the format specification as an Invalid value so that our sexual injection payload can escape the chat. The last step is much more straightforward. The validate is payload then flows into the sensitive database API to finish the entire task. Okay, so this is how an entire HPA exploit works. In fact, the code logic behind the word reality is much more complex than the simplified attack graph here. For example, the input validation module itself contains 300 lines of code, so it would be helpful if we can hype a tool to automatically track these data structures and discover harmful hidden properties exist in the program logic. To detect and exploit HPA, we proposed links or hybrid JavaScript program analysis tool. The diagram below gives a high level workflow of links. The tool many consists of two parts. The last part is for discovery in potential hidden properties. It will first leverage dynamic flow track into pinpoint user input data flows, and then it uses static synthetic analysis to you for potential hidden properties. The right part is for detecting hub for hidden properties and generate the exploit automatically. To help future not and security research, we will open source our links project at the link below. So for the first part, the very first thing links will do is dynamic data flow tracking. First of all, links will generate a label object, which is a unique key value peer, and it links will inject the label into the import data of the program. To observe the program exclusion, we leverage a JavaScript analyzes free work called Jelani to instrument our task program. In the end, I show in the rightmost diagram we execute the past program and start hidden property detection. During the exclusion links will examine every object within the data flow. If an object carries our property label, we reject it. In the first step, we apply the syntactic analysis to discover all potential hidden properties. In the second step, links further analyzes the recorded properties and by potential explorable imput. In order to do so, links first, generate and explore templates that can reach the potential wonder about proxy. In the second step, we run the testing program with our constructed templates and all symbolically excused the hidden property. As shown in the diagram, the symbolic execution engine will try to explore all the possible passes. In this project, we define six different sinks for the hidden property abusing. When a certain thing is hit, links will fetch the corresponding payload and add it to the final output. During our research, we choose 102. Why did you use the Knowledge program for evaluation? With links, we track more than three0 property carriers and detect more than 400 hidden property candidates. In the end, we confirm, not 150 day one bites with the help of symbolic fusion links. Even synthesize ten exploits automatically. So how is the impact of the detected? One of it is we found that HPA can introduce various attack effects, such as leaking credential data by passing security checks or devil services. Further result, we actually have two insights. The first is that hidden probably abusing effectively enlarged the logs attack services because we compromised previously on Reachable program States. Second, classic defense are not mitigating HPA. We found that some widely used input validation modules are even water able to HPA themselves. To conclude. First, we designed a hidden property abusing attack, which leads to the discovery of 150 day vulnerabilities in node JS 1. Second, we designed a novel program analyze store to automatically detect and exploit HPA. Third, our evaluation shows that HPA can effectively attack previously on reaching for program States and these two many security risks. Thanks for attending our talks.