Several dangerous attacks possible

jQuery below 3.4.0 vulnerable to prototype pollution

All jQuery versions below 3.4.0 are affected by a new hacking technique called prototype pollution. Successful exploitation could allow an attacker to modify existing object properties, including security properties such as cookies or tokens. Privilege escalation, content manipulation, application hijacking and even remote code execution is possible.

WHAT IS PROTOTYPE POLLUTION

Prototype pollution is the ability to remotely modify the prototype of a JavaScript object. JavaScript objects can contain multiple values based on a predefined structure. Prototypes define the default structure and values of a JavaScript object. JavaScript allows changing all object attributes, including _proto_, constructor and prototype. An attacker manipulates these attributes to pollute an application object-prototype by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.
This leads to several highly dangerous attacks. Denial of service attacks against the application server or web server, privilege escalation, or content manipulation. Under special circumstances (see below) an attacker can even execute remote code.

Insight
Remote code execution with prototype pollution is only possible if the JavaScript code evaluates a specific attribute of an object and then executes that evaluation.

Example:
eval(myobject.myattrb).
If an attacker pollutes Object.prototype.myattrb he can most likely perform a remote code execution attack.

For more information on the prototype pollution flaw, see:
Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub

NOT SO EASY TO EXPLOIT

If the application uses jQuery only to animate some menus, it is most likely safe. If jQuery is used for more complex operations, such as creating frontends or interacting with server-side systems, it can be exploitable. Howerver, currently this technique is not mass exploitable. Prototype pollution flaws require the attacker to have detailed knowledge of the website and its programming.

Prototype pollution attacks can allow a break-in into systems that are considered secure. Since the exploit takes some time to be executed successfuly, it is likely to be used against high value targets.

There is already a proof-of-concept code for the prototype pollution vulnerability (CVE-2019-11358) that affects jQuery. It shows a way to allow attackers assign themself administration rights on an application using jQuery.

MILLIONS OF WEBSITES AFFECTED

According to w3techs.com as of March 2019, 73.9% of all sites use jQuery. This corresponds to 97.3% of all websites with known JavaScript libraries. The use of jQuery is distributed among 84.6% with version 1, 8.0% with version 2 and only 7.4% with version 3 of the library.

PATCH AND BACKPORTS

The jQuery team has released a fix for this issue. We strongly recommend upgrading to version 3.4.0 or later. Daniel Ruf has backported this fix for the following versions of jQuery:


#jquery | #prototype pollution | #java script | #vulnerabilities