Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node.js Template Engines for Malicious Consequences
Zhengyu Liu, Kecheng An, Yinzhi Cao
IEEE Symposium on Security and Privacy 2024 · Day 3 · Continental Ballroom 4
This talk, presented by Zhengyu Liu from Johns Hopkins University, delves into a sophisticated exploitation technique for **Prototype Pollution (PP)** vulnerabilities in JavaScript, specifically within Node.js template engines. While Prototype Pollution has been recognized as a significant vulnerability since 2018, its direct exploitation often falls short of achieving high-impact consequences like Cross-Site Scripting (XSS) or Remote Code Execution (RCE) without additional **gadgets**. This work introduces a novel concept called **Undefined-oriented Programming (UOP)**, which enables the chaining of multiple seemingly innocuous PP gadgets to escalate the severity of an initial pollution.
AI review
This research redefines Prototype Pollution, introducing Undefined-oriented Programming (UOP) to systematically chain seemingly innocuous gadgets into critical RCE/XSS. The automated UOP framework, employing concolic execution, uncovered 26 zero-days and led to 7 fixes in widely used Node.js template engines, proving that PP is far from a low-severity issue.