Popular jQuery JavaScript library impacted by prototype pollution flaw

Prototype pollution flaws are "the next big thing" in JavaScript security research.
Written by Catalin Cimpanu, Contributor
Image: jQuery team

Three years after its last major security bug, the jQuery JavaScript library --used on 74 percent of all internet sites-- has received another security patch this week.

This security update addresses a rare vulnerability --called prototype pollution-- that security researchers are only now starting to understand and discover in more and more JavaScript libraries.

What is prototype pollution

As the name suggests, prototype pollution refers to an attacker's ability to modify a JavaScript object's prototype.

JavaScript objects are like variables, but instead of storing one value (var car = "Fiat"), they can contain multiple values based on a predefined structure (var car ={type:"Fiat", model:"500", color:"white"}).

Prototypes define a JavaScript object's default structure and default values, so applications don't crash when no values are set.

An attacker that manages to alter a JavaScript object prototype can severely impact how data is processed by the rest of the application, and open the door for more dangerous attacks, such as application crashes (denial of vulnerability bugs) or application hijacks (code execution flaws).

Prototype pollution, a growing threat for JavaScript

Prototype pollution attacks aren't new and have first been documented years ago. However, they are only now being thoroughly cataloged because JavaScript, as a language, has evolved from handling basic UI interactions to working with impressive amounts of sensitive data as a server-side programming language --thanks to the Node.js project.

Hence, any prototype pollution attack can now have serious consequences in a web-dev world where almost everything revolves around JavaScript in one way or another, in desktop, mobile, browser, or server-side applications.

Over the past year --and especially after Olivier Arteau's NorthSec 2018 presentation about prototype pollution attacks-- security researchers have started looking more closely at the JavaScript libraries they have been using and searching for possible prototype pollution bugs.

These efforts have resulted in the discovery of multiple prototype pollution attacks in more and more JavaScript libraries, such as Mongoose, lodash.merge, node.extend, deep-extend, and HAPI --some of them extremely popular for JavaScript server-side apps.

Prototype pollution in jQuery

This constant chatter about prototype pollution attacks has also drawn the attention of Snyk, a company that provides source code scanning technology, and whose researchers were interested in documenting this new attack vector; Liran Tal, a Snyk security researcher, has told ZDNet in an interview earlier this week.

Their analysis of prototype pollution attacks has resulted in the discovery of a similar flaw impacting jQuery, a JavaScript library that is so ubiquitous and ingrained in web development work that it is used on 97 percent of all websites that use at least one JavaScript library.

To say that jQuery is popular among JavaScript developers is the equivalent of saying "water is wet," which means that any prototype pollution flaws discovered in this library automatically opens the doors for attacks on hundreds of millions of websites.

In a report published last week, Tal and the Snyk team described and released proof of concept code for a prototype pollution attack (CVE-2019-11358) impacting jQuery. To show how dangerous this vulnerability is, they showed how a prototype pollution flaw could allow attackers to assign themselves admin rights on a web app that uses jQuery code for its frontend.

Not easy to exploit

But the good news is that prototype pollution attacks are not mass-exploitable, as each exploit code must be fine-tuned for each target, individually. Prototype pollution flaws require that attackers have in-depth knowledge of how each website works with its object prototypes, and how these prototypes factor in the grand scheme of things.

Furthermore, some websites don't use jQuery for any heavy lifting operations, but merely to animate a few menus and show some popups, here and there.

"Finding versions of the jQuery vulnerability for this exploit is not a hard task, but automating an actual exploitation for custom code that makes use of jQuery's vulnerable API with regards to the prototype pollution would be more difficult," Tal told ZDNet.

In addition, apps and websites that rely on closed source code are also safeguarded against some attacks, Tal told us.

"Exploiting server-side closed source code, which is not easy to access for investigation, does require a fair bit of research to find out how polluting a global object scope would affect an application, if prototype pollution is applicable at all in such cases," the researcher said.

Nevertheless, in cases where jQuery is used for more complex operations, such as building full frontends or interacting with server-side systems, prototype pollution attacks can allow hackers a way into systems considered secure --an ideal bug for targeted attacks against high-value websites.

A huge attack surface

Tal, who worked with the Node.js team to report the bug to the jQuery team, recommends that web developers update their projects to the latest jQuery version, v3.4.0.

Today, most websites are still using the 1.x and 2.x branches of the jQuery library, which means that the vast majority of jQuery-based apps and websites are still open to attacks.

jQuery versions

Taking into account that there's some syntax breakage between the three major versions and that web developers would rather throw acid on their face than re-write their frontends, most websites are bound to continue to use older versions for the foreseeable future.

Fortunately, the patch has been backported to previous releases.

More prototype pollution attacks to come

In the meantime, the work to find and document more prototype pollution attacks continues at Snyk.

The company said it's already aware of more than 20 prototype pollution attacks already, "spanning across browser and Node.js ecosystems," and expects to see more.

The top open-source rookies, projects in 2018

More vulnerability reports:

Editorial standards