jquery-bbq icon indicating copy to clipboard operation
jquery-bbq copied to clipboard
verified publisher icon cowboy

Prototype pollution vulnerability

Open cee-chen opened this issue 5 years ago • 4 comments

👋 I know this repo is probably no longer maintained - I'm opening this issue for others out there on the internet who still might be using $.deparam and care about this sort of thing. You can grab the fix in my PR here: #61

To be clear also: If you care about security/prototype pollution and using jQuery BBQ, you should be on jQuery 3.4.0+ (and using one of the open PRs to enable jQuery 3 compatibility, e.g. #48 or #42). Otherwise you'll still be vulnerable to pollution via $.extend.

If you're continuing to use jQuery BBQ in production, I recommend maintaining your own fork with #48 and #61 merged/cherry-picked. You'll have to uglify/compress your own final output, but there are online YUI compressors you can easily use.

Reproducing

To see the prototype pollution in action:

  • http://benalman.com/code/projects/jquery-bbq/examples/deparam/?proto[test]=polluted
  • http://benalman.com/code/projects/jquery-bbq/examples/deparam/?someObj[proto][test]=polluted
    • Open your browser console and enter ({}).test. Note that it now outputs "polluted".

Why does it matter?

Check the following more malicious examples:

  • http://benalman.com/code/projects/jquery-bbq/examples/deparam/?proto[hasOwnProperty]=true
    • We've hijacked .hasOwnProperty for every single obj instance on the page.
  • http://benalman.com/code/projects/jquery-bbq/examples/deparam/?proto[test]=alert(%27hi%27)
    • Run eval({}.test) in your console - this is a potential XSS vector for sites that eval() on user parameters (hopefully none or very few).

Further reading on prototype pollution:

  • https://stackoverflow.com/a/60850027/4294462
  • https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/

cee-chen avatar Oct 07 '20 23:10 cee-chen

FYI, doing Object.create(null) isn't enough as there are other ways to get at the Object.prototype. jQuery fixed this by preventing any __proto__ key part.

For example, here are other vulnerable query strings: foo[0]=bar&foo[__proto__][__proto__][test]=polluted foo=bar&foo=baz&foo[__proto__][__proto__][test]=polluted foo=bar&foo[__proto__][__proto__][test]=polluted

mhofman avatar Dec 18 '20 23:12 mhofman

Hi there,

Unfortunately in https://github.com/cowboy/jquery-bbq/blob/master/jquery.ba-bbq.min.js the prototype pollution is still there and can be launched from the client side (different from the above case which seems to be launched from the server side).

Just check the codes "R=R[S]=P<Q?R[S]||(U[P+1]&&isNaN(U[P+1])?{}:[]):M" in that file. Object.prototype is polluted when some website vulnerable.com is using this library and someone visits https://vulnerable.com/?proto[Key]=pollute. Hopefully you can patch that line of code.

Actually I have discovered 6 real-world websites that are using this library and hence having this vulnerability. But I'm not going to disclose them here for the sake of their security. Thanks!

zifeng-kang avatar Jul 07 '21 21:07 zifeng-kang

hello, i already reflected this xss on the client website, Object.prototype.div=['1',''] $('

') when i use this snippet in browser console it popup a screen "1" . now it create self xss, i need to draft the code to exploit user upon click. BugBountyTIP.

mzjoker85 avatar Mar 12 '23 14:03 mzjoker85

Appearantly a CVE was already created for this in 2021: https://www.cve.org/CVERecord?id=CVE-2021-20086

marcovtwout avatar Sep 18 '24 09:09 marcovtwout