Objective: Achieve ACE or DoS via 'inherits' library
Goal: Achieve ACE or DoS via 'inherits' library
└── 1. Manipulate Inheritance Chain
└── 1.2. Prototype Pollution on Constructor Functions Used with inherits [HIGH RISK]
├── 1.2.1. Target ctor.prototype [CRITICAL]
│ ├── 1.2.1.1. Add/Modify properties [CRITICAL] (ACE or DoS)
│ └── 1.2.1.2. Overwrite existing methods [CRITICAL] (ACE)
└── 1.2.2. Target superCtor.prototype [CRITICAL]
├── 1.2.2.1. Add/Modify properties [CRITICAL] (ACE or DoS)
└── 1.2.2.2. Overwrite existing methods [CRITICAL] (ACE)
Attack Tree Path: Manipulate Inheritance Chain
This is the overarching strategy – the attacker aims to disrupt the normal inheritance process established by the inherits library.
- Description: This is the core vulnerability. The attacker exploits a weakness in the application's input handling (or other vulnerable code) to inject or modify properties on the prototype of either the
ctor(subclass) orsuperCtor(superclass) constructor functions that are passed toinherits. - How it works: JavaScript's prototype-based inheritance means that objects inherit properties from their prototypes. If an attacker can modify the prototype, they can affect all objects created from that constructor (or its subclasses).
- Example Scenario:
- An application takes user input (e.g., from a JSON payload) and uses it to create an object.
- The attacker includes a malicious property like
"__proto__.pollutedProperty": "malicious_value"in the input. - If the application doesn't properly sanitize the input, this property might be added to the prototype of an object.
- Later, this object (or a related object) is used as a constructor with
inherits. - The
pollutedPropertyis now inherited by instances of the class, and if the application uses this property in an unsafe way (e.g., ineval), it leads to ACE.
Attack Tree Path: Target ctor.prototype [CRITICAL]
- Description: The attacker specifically targets the prototype of the "subclass" constructor function.
- Why it's critical: Modifying the
ctor.prototypedirectly affects the objects created from the subclass, making it a direct path to influencing the behavior of newly created instances.
Attack Tree Path: Add/Modify properties [CRITICAL] (ACE or DoS)
- Description: The attacker adds a new property or modifies an existing property on the
ctor.prototype. - ACE Example: If the application later uses this property in a string that's passed to
eval(), the attacker can inject arbitrary code. - DoS Example: The attacker could add a property that causes an infinite loop or consumes excessive resources when accessed.
- Why it's critical: This is a direct way to inject malicious data or behavior into the object's property chain.
Attack Tree Path: Overwrite existing methods [CRITICAL] (ACE)
- Description: The attacker replaces an existing method on the
ctor.prototypewith a malicious function. - ACE Example: The attacker overwrites a method like
toString()with a function that executes arbitrary code when called. - Why it's critical: This is the most direct way to achieve ACE, as the attacker completely controls the behavior of a method that will be called on instances of the class.
Attack Tree Path: Target superCtor.prototype [CRITICAL]
- Description: The attacker targets the prototype of the "superclass" constructor function.
- Why it's critical: Modifying the
superCtor.prototypeaffects not only objects created directly from the superclass but also all subclasses that inherit from it. This can have a wider impact than polluting thector.prototype.
Attack Tree Path: Add/Modify properties [CRITICAL] (ACE or DoS)
Similar to 1.2.1.1, but targeting the superCtor.prototype. The impact is potentially broader because it affects the superclass and all its subclasses.
Attack Tree Path: Overwrite existing methods [CRITICAL] (ACE)
Similar to 1.2.1.2, but targeting the superCtor.prototype. Again, the impact is potentially broader.