|2 via 2 paths|
Find, fix and prevent vulnerabilities in your code.
- Vulnerable module: koa-body
- Introduced through: email@example.com
Introduced through: firstname.lastname@example.org › email@example.comRemediation: Upgrade to firstname.lastname@example.org.
koa-body is A koa body parser middleware. Support multipart, urlencoded and json request bodies.
Affected versions of the package are vulnerable to Directory Traversal. An attacker may POST or PUT a request to the
/upload-files endpoint and make the request handler think a file has been uploaded to
/any/file/path. By using paths of sensitive files an attacker would be able to read private keys, configuration files and passwords.
A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.
Directory Traversal vulnerabilities can be generally divided into two types:
- Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the
If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.
%2e is the URL encoded version of
- Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as
One way to achieve this is by using a malicious
zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.
The following is an example of a
zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in
/root/.ssh/ overwriting the
2018-04-15 22:04:29 ..... 19 19 good.txt 2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
There is no fix version for
- Vulnerable module: extend
- Introduced through: email@example.com
Introduced through: firstname.lastname@example.org › email@example.com › firstname.lastname@example.orgRemediation: Upgrade to email@example.com.
extend is a port of the classic extend() method from jQuery.
Affected versions of this package are vulnerable to Prototype Pollution. Utilities function can be tricked into modifying the prototype of "Object" when the attacker control part of the structure passed to these function. This can let an attacker add or modify existing property that will exist on all object.
There are two main ways in which the pollution of prototypes occurs:
- Property definition by path
Unsafe Object recursive merge
The logic of a vulnerable recursive merge function follows the following high-level model:
merge (target, source) foreach property of source if property exists and is an object on both the target and the source merge(target[property], source[property]) else target[property] = source[property]
When the source object contains a property named
_proto_ defined with
Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of
Object and the source of
Object as defined by the attacker. Properties are then copied on the
Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object:
Hoek are examples of libraries susceptible to recursive merge attacks.
Property definition by path
theFunction(object, path, value)
If the attacker can control the value of “path”, they can set this value to
myValue is then assigned to the prototype of the class of the object.
Types of attacks
There are a few methods by which Prototype Pollution can be manipulated:
|Denial of service (DoS)||Client||This is the most likely attack.
DoS occurs when
The attacker pollutes
For example: if an attacker pollutes
|Remote Code Execution||Client||Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
|Property Injection||Client||The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
For example: if a codebase checks privileges for
The following environments are susceptible to a Prototype Pollution attack:
- Application server
- Web server
How to prevent
- Freeze the prototype— use
- Require schema validation of JSON input.
- Avoid using unsafe recursive merge functions.
- Consider using objects without prototypes (for example,
Object.create(null)), breaking the prototype chain and preventing pollution.
- As a best practice use
For more information on this vulnerability type:
extend to version 2.0.2, 3.0.2 or higher.