Skip to content

Latest commit

 

History

History
96 lines (81 loc) · 8.16 KB

attack-tree.md

File metadata and controls

96 lines (81 loc) · 8.16 KB

Attack Tree Analysis for minimistjs/minimist

Objective: Execute Arbitrary Code or Cause Denial of Service (DoS)

Attack Tree Visualization

                                  +-------------------------------------------------+
                                  |  Attacker Goal: Execute Arbitrary Code or DoS  |
                                  +-------------------------------------------------+
                                                   |
                                  +-------------------------------------------------+-------------------------------------------------+
                                  |                                                 |
                  +-------------------------------+                  +-------------------------------+
                  |   Prototype Pollution via    |                  |     DoS via Excessive      |
                  |       `__proto__` Alias       |                  |       Object Creation       |
                  +-------------------------------+                  +-------------------------------+
                                   |                                                 |
                  +-----------------+-----------------+             +-----------------+-----------------+
                  |  Vulnerable   |  **Application**  |             |  Vulnerable   |  **Application**  |
                  |  `minimist`   |  **Misconfigures**|             |  `minimist`   |  **Misconfigures**|
                  |   Version     |   **`minimist`**   |             |   Version     |   **`minimist`**   |
                  +-----------------+------[CRITICAL]-----+             +-----------------+------[CRITICAL]-----+
                                   |                                                 |
                  +-----------------+-----------------+             +-----------------+-----------------+
                  |  **No Input**    |                  |             |  **No Input**    |                  |
                  |  **Validation**  |                  |             |  **Validation**  |                  |
                  |  **on User**     |                  |             |  **on User**     |                  |
                  |  **Provided**    |                  |             |  **Provided**    |                  |
                  |  **Arguments**   |                  |             |  **Arguments**   |                  |
                  |      [CRITICAL] |                  |             |      [CRITICAL] |                  |
                  +-----------------+-----------------+             +-----------------+-----------------+
                                   |                                                 |
                  +-----------------+                                 +-----------------+
                  |  **Attacker**     |                                 |  **Attacker**     |
                  |  **Provides**    |                                 |  **Provides**    |
                  |  **`--__proto__.**|                                 |  **Deeply**       |
                  |  **<evil_key>=** |                                 |  **Nested**       |
                  |  **<evil_value>`**|                                 |  **Object**       |
                  |  **as CLI Arg**  |                                 |  **as CLI Arg**  |
                  +-----------------+                                 +-----------------+
                                   |
                  +-----------------+
                  |  **Application**  |
                  |  **Logic Uses**  |
                  |  **Polluted**    |
                  |  **Object**      |
                  +-----------------+
                                   |
                  +-----------------+
                  |  **Arbitrary**    |
                  |  **Code**        |
                  |  **Execution**   |
                  +-----------------+

[HIGH RISK]: The left branch (Prototype Pollution) is marked as [HIGH RISK]. [HIGH RISK]: The middle branch (DoS via Excessive Object Creation) is also marked as [HIGH RISK].

Attack Tree Path: Prototype Pollution via __proto__ Alias (High Risk)

  • Overall Description: This attack exploits a vulnerability (often in older versions of minimist or through misconfiguration) where an attacker can inject properties onto the Object.prototype in JavaScript. This can lead to arbitrary code execution if the application later uses the polluted object in an unsafe way.

  • Critical Nodes:

    • Application Misconfigures minimist: This is the fundamental flaw. The application must be set up in a way that allows user-provided input to influence the object parsing process of minimist without proper sanitization.
    • No Input Validation on User-Provided Arguments: This is the specific misconfiguration. The application does not check or filter the command-line arguments before passing them to minimist. This allows the attacker to inject arbitrary arguments, including those that target the __proto__ property.

  • High-Risk Path Steps:

    1. Vulnerable minimist Version: While less likely with updated versions, using an older, unpatched version of minimist increases the risk.
    2. Application Misconfigures minimist [CRITICAL]: The application lacks crucial security measures, primarily input validation.
    3. No Input Validation on User-Provided Arguments [CRITICAL]: The application blindly trusts user-supplied command-line arguments.
    4. Attacker Provides --__proto__.<evil_key>=<evil_value> as CLI Arg: The attacker crafts a malicious command-line argument to inject a property onto Object.prototype.
    5. Application Logic Uses Polluted Object: The application's code accesses the polluted object, triggering the attacker's injected code.
    6. Arbitrary Code Execution: The attacker gains control of the application, potentially leading to complete system compromise.

  • Example:

    • Attacker runs the application with: node app.js --__proto__.toString=()=>console.log('pwned!')
    • If the application later calls .toString() on any object (which is very common), the attacker's code will execute.

Attack Tree Path: DoS via Excessive Object Creation (High Risk)

  • Overall Description: This attack leverages the way minimist parses nested objects from command-line arguments. By providing a deeply nested object structure, an attacker can cause the application to consume excessive memory, leading to a denial-of-service.

  • Critical Nodes:

    • Application Misconfigures minimist: The application must be configured to allow user input to create potentially large or deeply nested objects.
    • No Input Validation on User-Provided Arguments: The application does not limit the depth or size of objects that can be created via command-line arguments.

  • High-Risk Path Steps:

    1. Vulnerable minimist Version: While not a direct vulnerability, minimist's parsing can be abused.
    2. Application Misconfigures minimist [CRITICAL]: The application lacks input validation and limits on object size/depth.
    3. No Input Validation on User-Provided Arguments [CRITICAL]: The application doesn't restrict the structure of user-provided arguments.
    4. Attacker Provides Deeply Nested Object as CLI Arg: The attacker crafts a command-line argument to create a very large or deeply nested object.
    5. Denial of Service: The application runs out of memory or becomes unresponsive.

  • Example:

    • Attacker runs the application with: node app.js --a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p=value --x.y.z.aa.bb.cc.dd.ee.ff.gg.hh.ii.jj.kk.ll.mm=value (repeated many times, or with very long key names).
    • This can cause the application to allocate a large amount of memory, leading to a crash or unresponsiveness.