Um, this I'm not broadcasting up to the thing. I'm just doing this. All right. Fine. Well, no wrong one. This guy? Yeah. Okay. Let me I only decided I wanted to do this as I was like walking here. Okay. Here's this. Kind of like I was doing this with the VIP team on Wednesday. This is like a list that I just sort of cooked out one day or whatever of all the little micro web exploits that I've seen pop up in CTFs and things like that or whatever. Topic I want to do today is prototype pollution. Five years ago, maybe six years ago, nobody would say the term prototype pollution, Do they still have that? Like Google search term history graph thing. Google Trends can go proto explore the past day interest over time, past five years. That's pretty consistent, 2004 to present. Oh, I think I'm wrong, I don't know what that's really odd because like, I don't, I don't think the world was that kind of world here, actually. Yeah. Wait, I guess that's 100, maybe nobody's searching this thing at all. I don't know, 14 people. Okay. All right. So maybe the number of people who do we exploitation is not as large in the world as, you know, Tiktok followers or something. What I was trying to get at is this thing which is that this is empty. And then 2018, maybe this is just incidental combinations of the words prototype and pollution. Like, I don't know, maybe this is accidental. But I think anyway, okay, 2018, why am I going to pontificate on this? This class is super shotgun, right? As I was walking up, it's I know that your retention rate is not going to be very high. I learned that when we did the crypto stuff. Right where it's like All right. Which is okay. Right. It's good, but like five days of crypto or whatever and you got to have a recap. Same thing for me if I were to go back and watch West world or something. And be like, you know, in the previous seasons of West world, all of this happened like oh yeah, gosh, I remember all those people. Okay. The web is an ever moving target, right? There will always be new stuff and all of those exploits that are new existed forever. And they get discovered and talked about. And then like propagated that to me is like a weird philosophical thing to say. Like all the exploits that we will discover five years from now that nobody's talking about are live right now there's going to be universal cross site scripting attacks that are very possible. Right now in ten years you'll know about them and you'd be like, boy, I wish I had figured that out back in 2023 or whatever. I don't know. I guess I'm talking about like the cyber life cycle maybe of a thing pops into existence. We all fart around with it for a little while. We try to patch what we can patch and then we keep on going preparing for today. I watched this def con talk that I added in here or whatever it's like from August and there's only like 1,000 views on it or something or whatever. But this guy found universal prototype pollution gadgets scattered throughout node and its libraries. I think that the Hype cycle meant that It's like, I don't know, it's like an ecosystem, right? Like, I don't know, block chain, like I had a hype cycle and then like it was like that or whatever and it's like now I'm actually starting to get interested in block chain during the hype cycle. No, but once the hype cycle kind of cleared out all the chaff or whatever, it's no longer a snake oil or whatever, say. Okay, now what's the actual tech, right? I think I'm advocating for the surfing wave. I've probably told you this before, but in Web like crap at the peak is always really choppy and you want to ride just a few years behind it. And that's the place where you've got the code is mature enough but it's not going to break every few seconds. The community is still there and you can ride it for a while before it's like completely dead. Like this is Cobol Fortran or something, and this is like, I don't know, rust or something. I want to write it right here once all the crap has been sifted out or whatever. Anyway, part of what I'm saying is that my job in this class is to prep you. To be able to go out into the world and recognize vulnerabilities. Identify the places like do the static analysis, et cetera. Ten years from now, there will be three or four new exploits that I don't know about today, that you will know about in 2023 or 2033. That's why I like CTF. Ctf keeps my ear to the ground of like, hey, there's this wacky little thing popping up or whatever, something like that. And say, this is interesting, and that's why I like writing the CTF problems or whatever. You're like, hey, this is interesting. I'm going to make a problem to try to tell the other people who are tuned into this frequency that, that's happening, right? It's a wacky little thing and, and I never know with classes which of these matter, each one of these things, maybe not each one privilege. Escalation is a little bit transcendent as a concept. But each one of these things had their hype cycle in the sun are out there somewhere. You might inherit a code base from a different era of development. It's, I don't know which ones matter and which ones don't or whatever, and they all do what matters. More to me, your ability to tap in and listen and figure out the new stuff, right? That'll feel very different in secure software design by the way, but in this class, project two is my way of saying, okay, you're not going to have fully mastered all that crap, but you'll probably have figured out eight of them, something like that. And hopefully you'll figure out how to figure out new ones that you've never seen. Like I have to do every semester when it's like, what's the new shit now? Oh, it's this. Okay. Let's make a problem out of that or whatever, and try to explain it reasonably well. It's like it's like headline surfing or something or whatever, which is not true in any other academic class. In my opinion, if I'm using fast foyer transforms or whatever, sits like hundreds of years old now, right? Like I did modern algebra, which is like 1800s, I don't know. It gives me a little bit of imposture syndrome, teaching web app security or something, right? Like there's no way to really see all of it or whatever. Anyway, blah, blah, blah, blah, blah. That wasn't a well thought, it was more like me walking from the car to here and like this is a wacky little thing, I just want to bring the meta analysis like web stuff requires you to just always be farting around with it in order to stay relevant. Otherwise, SQL injection is going to pop up all the time in conversations. It does not pop up all the time in real life exploits, right? Just like you're not going to have to write a sorting algorithm, even though you've studied them in class. What subset of these to do with you or whatever. Enough that I feel like you can pick up and go and do whatever matters. Five years from now, which I don't know yet with me, start the bingo project. I guess I put in an alert Saturday night when I realized like we were doing pretty good in that Hong Kong CTF. And it's like, all right, hey, jump in the one that I was hoping you would solve. I stayed up until like two or three in the morning trying to solve and like I got the wrong idea and I went to bed. It ended up being a little harder than thought. It was easy enough to wrap my mind around. I didn't crack it and I just gave up and went to bed. Probably you didn't crack it either, but you could have done the other ones or whatever. Just logged in and do your own thing and got points out of that. I'll try to do that for the rest of the year. Ctf, I'm going to look at it. If you want to find the ones that are the most points to you, just go to CTF Time.org and look at upcoming events. Any of these that are you can jump in and do. This. One says it's on line that looks like it's only an eight hour window, which to me sounds like an event in Germany. But this all carries a risk with it. Here's a 24 hour. I always love Square. Here's finals week, right? Or whatever. Like here's when your crap is due. It is very stochastic to get a live problem that you can solve and get the points out of or whatever. But it is the most efficient way in terms of your hours invested in the project, maybe. Okay, I just babble a whole lot of crap. Let's talk a prototype pollution. Here's the idea. I'm just going to jump in to any website, ever, fire up a console here, whatever that is, and say hi. All right, I'm going to say let x equal some object, let's make x one. Come to come three, come four. The type of x is an object array. Interestingly, in Javascript, honestly everything is an object. If I say x banana equals 23. Now x that into its array there, which is a little bit wacky because it was actually an object, and this was actually zero is 1.1, is 2.2, is three, whatever. Now banana is 23. If I say it runs. All right, now where did come from in Java script. And I've said this before, but everything works from prototypal inheritance. That's a no other language that we teach in classes or anything like that is prototypically inherited. Prototype is really saying there is another object somewhere. My object is going to reference that object whenever it does not have a key of its own. That is to say there is a magic sub key x underscore, underscore, proto underscore, underscore. That thing is literally a reference to another object out there. That other object out there has all of these things which included and sum, and slice and length and whatever this is, the array prototype. Even that thing will probably have a prototype of its own. It doesn't look like it. Oh yes it does. There we go. All right, that thing has a prototype which has these values. Maybe it keeps going, I don't know. To proto proto, how deep down the chain can we go? No. All right, so we only went up two and it's probably array object done. Okay, if I do the following. All right, so this is X. X was an array and it has a weird banana key. Now now I'm going to say array prototype and will equal a function. We'll just say console dot log. Gotcha. Okay, Now all arrays everywhere have an and sort function. Didn't do anything useful. I didn't actually reference the cell or this or whatever and do any sorting. But what that means is that x and sort is now callable and it will say gotcha. Okay, That is to say object came into existence, I edited the prototype chain. Object can now reference things directly from that prototype chain. So what it does is it looks to see does and have any of these keys? Or does X have any of these keys? If not, look at its prototype. Does it have any of these keys? If not, look at that prototype. Does it have any of these keys? If it gets to the end and it didn't find those keys, then it says undefined or whatever. So if I say like x f part, it'll say undefined because it checks all of X's keys. It checked X's prototypes keys, and it checks the prototypes, prototypes keys. All right, you with me on the idea of prototypal inheritance? Okay, cool. So that's just Javascript that has always been Javascript. Five years ago, people started figuring out how to exploit that. Here's their exploits. Okay, This is me making a nice little shuffler. So I can now shuffle any array or whatever. That's the thing you literally copy from stack overflow or whatever. Be like how do I shuffle an array in Javascript? And in fact, let's just see if that's an array in Javascript, you'll find a stack overflow somewhere. This one did it like that. There we go. And here's somebody doing it directly from the prototype. One could but should not use it as a prototype from array. All right, fine. Say okay. And now all arrays have a shuffle function, whatever. Okay, cool. So here's the nature of the expo. Honestly, this is not that interesting. Like this makes it seem more complex than it is. This is the interesting part. If ever, in any way you can write a value to an arbitrary key on anything, then you can make your arbitrary key proto and add keys to the prototype of the thing you're writing to. Okay, let me say that differently. This is an empty object. This empty object has the key corrupted. Because now after this line of code, all objects everywhere have a corrupted key. All right, let's do that over here. We have x, great. If I am allowed to write or let's say y is an object, we'll make it, we'll start there. And you're going to say something like y name equals Andy. Okay, Now has that and supposing that I can control the word name there instead of the word, just the part. Then I can do y proto. Now I could say like fart, fart or whatever equals 23. Now, x fart, fart exists. All right. That's, that's a weird thing that will get you a shell. That's a weird little thing that will get you a shell. That is to say y was just some one off object and I was able to edit y. Now here I am editing two keys. Here I've got one and key two, or if I could set this to an object or something like that or whatever, I two keys. Now all other objects everywhere including a brand new one off the street unexpected token, all equal bo, all objects from now on after that one line of code have a part part property. Right now that is the exploit part. I'm going to explain the topic this way, That is pollution. Here's my baseline level of what it takes to get some pollution somewhere. That is to say you get some arbitrary object and you can control a key, and maybe a sub key, something. If you've got that much control somewhere in some way you can do prototype pollution. Does prototype pollution matter or not? It all matters about what I'll call a gadget. A gadget is anything in the code base. The most interesting code base is all of your node packages, All of node JS itself. There are lots of gadgets that are just out there. A gadget is any place where you are. I read this as Public speaking wise, you're leaning on a configuration or a default value. If I've got a default value anywhere, then prototype pollution can exploit that. Here's my dumb example. This is actually based off of a real internal thing, but I changed it to try to sell the story to say some function somewhere in some library consume some stuff. If there are no options, then option is an empty object, that thing. If options has a file parameter, replace file with that. If options has an environment parameter, I either use the optional one or the processes environment or whatever, and then do something. These are what gadgets look like, the gadgets are. The flip side is the thing that can be exploited given prototype pollution. That is to say, something that leans on a default value somewhere. Now I can control something here, I cannot control anything here. This is like out there in the wild somewhere, deep in the internals of some node library. But because I can edit an arbitrary object once, I can set these default values here, here, and here. Which means that I can provide a default file and a default and find a situation where it leans on me instead of whatever was hard coded in. All right, that's the story of the exploit. There's a 20 minute video of that. Here are gadgets that exist in node JS and NPM's libraries themselves. That are in every single node project ever shell M main exports. This is literally just like any use of the word require. If the package did not specify in their package Jason a main key, plenty of them don't. Then you can overwrite the main key and then require an arbitrary file. Which means you can, if you can control a file somewhere, then you can load that file arbitrarily on any node package ever that leans on that one wacky thing. Okay? It seems a little esoteric, but it's not at all. Here's my flag for you now. This is the place where I guess I don't have discord up. This is the place where I now want you to crack this based on the words I've said. Here's the place where I want the round tables. I know the timing of it all or whatever. If I crack this for you, it won't take enough time. I don't think it as well. If you've got a laptop, bust out a laptop. I'll drop you the link here. This is the flag for the day so you can get some flag credits for it. Okay. All right. Sharks it fine. There you go. You have your blood drop. Okay. Wait. Yeah. Yeah. Okay. All right. So let's walk through, like what's going on. But I actually want to just like force you to do it, which is not a thing I've made you do in this classroom environment. That's part of why I was starting asking about secure software design or whatever later. Okay? Okay. Whenever I get one of these, by the way, I do a lot in a lot of my things. This is the line of code that got executed that is showing us the source code. It is cringe worthy to write a CTF problem in which you give no source sources. Web is annoying. But it's often annoying to look at somebody else's source code as the website instead of pretend like we've got something beautiful or whatever. I skip the beauty and just go straight to the source code. Okay, what have we got? We have a JT secret key. Great cookies and bodies. No big deal. We have some middleware, We're maybe accustomed to this, where I have an access token in the cookies. If there is no token, you get 403. It will verify your token with the private key. If your data has and is admin, then the request admin will say data dot user is admin, otherwise false, and then move on. Okay. The the flag requires going through the JWT middleware. All right, fine. It's checking to see whether or not admin exists or not. In there. Here is where you're going to get your access token. Getting an access token requires just doing a post to the empty thing here. All right, You guys comfortable doing a post to an arbitrary URL? My favorite way to do that is postman. You can also use curl or whatever and things like that, et cetera. How's it going to work? It's going to take the body of your request. This is the line that's weird. All right. Zip object deep. If I'm just understanding what's going on, I'm trying to like wrap my head around the escape room that I'm in. That's the thing. I start to Google. Whenever I Google for a CTF, I have CTF right up to find something, but I don't see it in actuality. All right. Fine. How about this gun? What is Google doing? Put this in quotes. All right. Fine. There we go. Set up Ke. Fine. Okay. Let's take a look at what it does. Or we can do it without the CTF. Right up zip. Object method is going to take an array of props, an array of values and object, please. It'll make an object that honors the in your thing In order to go deep in object creation, let the keys be arbitrarily deep or whatever. This guy is going to set. A has a sub object B which has an array 0.1 This one is going to contain an object, and this one is going to contain an object. All right, wacky. And this is going to set one to the value of that thing, and this will set two to the value of that thing. This is a dumb example. That's fine. Here I've got 40, 30, 90 as an array, and 123, it says 30. Why is that in a weird order? 41 30 gets 290, gets three, that's why it's in a weird word, et cetera. So that's what zip object deep does. It's going to take in an array of keys, an array of values, and make an object where each element in the keys gets set to the value in the corresponding value. And it's going to like walk through the array. Okay, Then completely unrelated. I'm going to make an object called user. I'm going to check to see whether or not user had is admin, this is the gadget. This is me making a stupid gadget so that you have a gadget prototype. Pollution lives here. Gadget lives here. Everything else is up to you. Your job is to edit the general object prototype, make it so that is admin defaults to true on all objects everywhere. Then I literally will clean up whatever you just did after I've signed your data but okay, fine. Are you with me on the concept? All right, not quite sure how to do the twitch plays CTF thing or whatever. Those that are sitting in the back can tell exactly how many of the screens are like on anime or something or whatever. Instead of the thing. I could walk around, I don't know. But you chat with each other, et cetera. Yeah, we haven't we haven't spent a lot of time doing the full interactive thing. But I know if I just do it, it's a little bit short. It's okay. But. This is sort of my Hello world, right? So if I think mentally, I kind of get what to do, but I'm not sure the actual steps or whatever. I always want to get my hello world. Somebody was damning me about one of the things they ended up with, a JS fuck problem or whatever. And it's like, okay, that's fun. It is fun. But step one get one plus one equals two or whatever. Get a truer to show up or a console to show up or something like that. In our case, that is do a post request to the right place, set your body to Jon. I'm doing raw Jon. Then I'm sending an object that has keys and valels. It's going to do a zip deep of 123456 and that is the result of the zip deep. And my job is to corrupt all objects everywhere. Yeah, you did. The post happened. When we do the post request, I send it my body as Jason and that's allowed by this line. It receives the key of my body called keys, which if it doesn't exist, will take an empty array. And the key of my body called v, which if it doesn't exist, will take an empty array. Then it's going to just an object called zip demo whose keys come from this array and whose vals come from this array. And key zero gets key one gets val one. Then it forms a little object where your role was set to guest admin is the gadget which will default to whether or not is admin was set or false. Ridiculous premise to make like what is my simplest possible prototype pollution flag I can write for you. Then they will sign it with what's actually a pretty secure little JWT key, like you're not going to guess that we've done JBT's in the past. We had a weak password. This one is not a weak password. Then it's going to return that to you in a cookie called access token. It will also report back to you the zip demo that you made as an extra prototype thing. It'll say, by the way, I expected you to do nasty things to is admin in the object prototype, which I'm going to clear out. I'll do that over here in the console. It's roughly this, Given any object underscore, underscore, proto underscore, underscore is my access to the object prototype, then this thing is deep so I can do whatever and start setting things once I edited this set of keys for now has. Yeah. Yeah. Now, this isn't the exact same notation, so you have to like adapt it to sort of a notation of zip object deps, which you can just Google around at. It's more like this notation than that. Then once you have that, I think you just turn around and just go get flag or maybe take it and set it to your cookie or something. How you've already got it to Will and Shark. That'd be not a bad, like sitcom parody or something like that. Like from Will and Grace or whatever? Will and Shark. Yeah. Yeah. Now it looks like you're on like a crappy little tablet or whatever. Sure, sure. So Postman won't work for you in that way, but that's okay. There's plenty of ways to like, I don't make post requests, one Javascript or whatever, bin.com Yeah, it used to be purely a website thing. Now then they wanted to be an app 'just Well, I can't say sit to that. Uhhh, Yeah. But I, I kind of can't. Nothing to this. Oh wait. Oh, I see. Never mind. I see. I see. Okay. Us. Fooled me. He. Alright, So you can do that from your crappy little Sablet back? Yeah. Yeah. Has ever been able to make a request with just like where I can just see, you know, my 123456 kind of a thing. Good. So if I overwrite protototrue, that's going to like destroy the prototype object, but we've got 3 minutes left. All right, I'll finish it for you, I guess. I don't know. If I go is admin. All right. Now I think this should be a JWT. That is Ed been false. All right. Let's see. Converting circular structure to J. Which line is it doing that at? Can we appre 41? I can't tell 41. It's definitely going to be here. And it's calling that a circular object. Fine, I did it twice. One was this guy. That is what I was hoping would do. It complained about this circular thing property. Proto closes the circle which is, you know, I can live with that. Maybe I could even just do like x dot is proto or something but it's not quite loving that. What I could do that I think didn't do the job because it didn't parse it, but it might actually be enough anyway. Oh, oh, oh, oh, like we might be stepping on each other's toes. That's probably true. That's probably true. Okay. All right. That's fair. Uh, yeah. Okay. And then if I get that through, then I just switch over to a get flag with that cookie and send this will tell me. Nope. But once that guy is the right one, okay. This is what I'm imagining. Should do the job. All right. I'll get yelled at. So at 10:06 I'll stop no matter what. That's prototype pollution.

Prototype Pollution

From Andrew Novocin November 13, 2023

12 plays 0 comments You unliked the media.

Zoom Recording ID: 4159319948 UUID: TVlpzlT6TGKk8F24yU7klQ== Meeting Time: 2023-11-13 02:15:05pmGMT

Tags: prototype pollution

Department Name: ECE
Department Division: Engineering
Date Established: November 13, 2023
Appears In: Web Sec F23

Comments

Add a comment