This was a proof of concept. The real vulnerability shown is the property pollution and how it can be exploited in cases where user input isn't sanitized before being passed into library code that isn't safe. The proof of concept was just an example of what could happen in a specific case where Next.js and AMP was used, that would pass query parameters directly into the getServerSideProps through the unflatten function, as a way to run arbitrary code on the web server.
@@dealloc Thanks for the clarification. I Really appreciate it, but still I'm amazed of people who actually discover these exploits or vulnerabilities for the first time. How they think, how they do stuff amazes me.
@@hesh1700 inspiration from other vuln types, knowledge of building/coding stuff from scratch (you're a dev) and the time to sit around playing with things your interested (or are paid well) to research.
Subscribed to your channel a while ago because you discussed interesting topics outside of my primary area of interest. As a front end React developer, I'd never thought I'd see a video on your channel that cut so close to home. This is absolutely excellent information to know. omg thank you so much for this video!
This channel is gonna touch millions soon. Every video you create makes me curious about how it all can be broken down and easily hijacked. i love the graphics , very neat and clean.
This is excellent work. So refreshing to find a clear, concise description of tricky topics. Thank you for the work this video took, it was well worth it.
Excellent video and explanation! In my opinion, prototype issues shouldn’t be the module’s issue (i.e flat isn’t vulnerable). It’s the incorrect usage of the module that causes the vulnerability. This is like saying a MySQL library is vulnerable because it allows the programmer to pass unsanitized user input. Putting this responsibility on the module is something I’ve noticed more in JS since npm started it’s automatic “audits” on module installs.
Billion Dollar Companies: Spending Millions on patching vulnerabilities Also Billion Dollar Companies: Shipping Frameworks that sideload code from a CDN and run it on your server without further checks just to save the developer 5 Minutes of thinking.
Addendum: I agree that in this case, the root cause is not the framework itself. However, it is a contributor to the issue and the CDN simply being compromised is another very possible and very unnecessary attack vector that using it adds to your application.
@@cybroxde Yeah, it looks quite insane to me to yolo-execute arbitrary code from a URL without verifying it via their public key with asymmetric cryptography. But AMP is evil anyways, so not too surprised they also added backdoors to servers that comply with them
How well does the automated search for exploits actually work? What is the chance that a given exploit is detected? What I do know out of experience is that most exploits have been there for a pretty long time, and that 'there always are exploits'.
It scans for already known vulnerabilities. While there are ways to use somewhat scan for possible vulnerabilities with static analysis and checking for common flaws. But the best known solution is to check against a database of known vulnerabilities, that have been discovered and reported by people.
@@dealloc Hm well now I think of it, it should be pretty easy if you just look for outdated libraries which is dogwork for humans but very systematically approachable in some areas I think. This could for example be used in combination with the Log4jl REC exploit, where basically logging any user input in an outdated library is 'lethal'. What I also do know is that my friend actually tried InteliJ"s search to try to find a recent minecraft server crashing exploit. This exploit had been around for a few years in some, and is in the interest of some very hackerous communities. (shulker box dispenser world height exploit, 'hackerous communities' meaning 2b2t)
@@gimmethedata4256 The issue is not so much to look up dependencies of libraries, that's easy. The hard part is finding the vulnerability in the original library or code where it originates. Any software the relies on code that has vulnerabilities will also inherit those vulnerabilities. But the severity depends on where and how it's used. So it doesn't mean that software that uses a library with vulnerabilities is itself vulnerable if the it's used in places that aren't exploitable. In the case of Log4Shell it is a severe vulnerability for any library and code that passes any user input, but not so much if it doesn't. This is sometimes a problem with automated systems as most of the results can be false positives, especially when scanning development-only environments. It adds a lot of noise and can hide the real threats that appear in code that interfaces with user and other external sources.
@@dealloc Yeah, but finding which things use the lib is already 20% of the most boring part of the work. I agree, it is rly hard to determine systematically whether or not something is an exploit, for therefore you first need to define what user input is. I agree that is really hard. Ig everything that goes through netty can be regarded as 'user input', but there I bet there are tons of ways to connect to netty so that is already a problem. Then you have also got libraries on top of the netty stuff ... then you need some algorithm to follow the stack trace of the user input and 'understand' a lot of internal functions, and how they change the user input. It is also kinda tricky to determine whether or not something is an exploit, I mean for RCE it should be pretty easy, but for teleportation exploits in game it is hard. But hey, even if you find 1% of the exploits systematically, then that is still an absolute win. I mean it is really 1% * times a thousand projects times 10 hidden exploits per project ... That's still a 100 exploits. So therefore I think you should focus on the easily systematically detectable exploits. Would you wanna collaborate on something like that? hobrin#4694
Fun fact, you used to be able to overwrite undefined to a different value in JS... IIRC it was just window.undefined = true and suddenly everything breaks down
Being someone who recently figured out OOP in JavaScript and wrote a blog to share my knowledge, i rly loved this vid and it made soooo much sense to me
off topic but it's a thing I learned today, in css you can honour text dpi by simply using the "in" unit on :root font-size then use rem everywhere else
Whoever though that flattening user input object into your codebase is alright, and that runContext is going to make better companion than eval? Yet another reason to switch over Sapper and other Svelte minimalistic solutions, in my opinion.
node can be a nightmare if not done properly right. Keep an eye on package vulnerabilities or jump ship to stable backend scripts like php and python. Not saying they are secure but you have less to worry about.
Same kind of stuff happens in python and Php. Take a look at either language’ eval function. You should only ever use these kind of functions if you are 100% sure what you are doing is safe, but mostly this is mission impossible
Wow i am not a developer but a light bullb watching your video(s) with a mind blown effect. Thanks for the clear and understandable explanation why and how a exploit works. now i need to check my ops team if they actually manage exploits like these in general.
@@vanjazed7021 no, seriously. The fact that you can invoke methods on a string literal does not mean that strings are objects, it's merely a convenience mechanism. Strings are passed by value and their "typeof" is not object, so they really are primitive (just like numbers, bools, undefined and null)
Thank you for tNice tutorials! I've been trying to figure the software out on my own for a wNice tutorialle, and it's horribly confusing. TNice tutorials is the only guide video
I don't have familiarity with next.js and I guess readers who do have that understand where in your talk you refer to where a user could cause their arbitrary code to be executed on the server side, but for me, you blow through that very quickly and I don't understand or hear where you explain that. But I guess the bottom line of what you are saying here is that something about next.js or some common way to use it opens such a vulnerability.
I know many people have already made videos abou it, but I really wanted to see youir video about Log4j vulnerability. I wanted to see your opinion as a security researcher, please, if you can, make a video about it.
I really appreciate your explanations and know this is subjective: But personally I would prefer if you assumed some basic knowledge about a subject and then explain the topic you want rather than explaining everything from the ground up. The explanation for classes, objects, and members felt a little bit underwhelming for the video at hand. That being said, your explanation there was, as always, wonderful, along with the rest of the video!
It seems REALLY dumb that JS lets you add things to objects that aren't in the class and add things to both ON THE FLY. I can see uses for this, but none of them need this feature and it adds looks to add so many risks.
This was heavily used for something called polyfills. Basically, if the browser doesn’t support a JS feature (or its implementation is buggy) you can conditionally add it to the language yourself. It’s used a lot less in modern code supporting modern clients. It’s also pretty useless for business logic. It was great for JavaScript because the number of runtimes that many projects supported. This would be a lot less useful in a compiled language because you know the compiler you’re targeting and the features it supports.
I'm a bit confused about how the getServerProps is actually exploited, in the example, it's not even receiving data from the url query, also, even if it was, the only prop being returned is the one we actually want, can someone kindly point out which part of the process am I missing?
I'm guessing the unflatten function itself does something to the input that overrides the global Object's __prototype__. Don't even need to return the value
I tried your repo. After polluting the prototype like you do at 10:54 I get the 404 but if I try to go to localhost:3000 I still get 404 so I guess the global namespace did not get polluted in my case?
My bad, it's "Almost everything is an object".
hehe .. me not like use front end server thou
@@daruiraikage he meant almost everything in Javascript is an object.
"dont let the feminists see this" haha ... btw really cool work brother
So... everything in python is a cat ;)
I watched 2 of your videos and I realized how fucked we're gonna be when the world goes full digital.....
1 question. "How?" That's a lot of content to keep track of to make this work. Seriously though, your work is awesome and I learned a lot from it.
This was a proof of concept. The real vulnerability shown is the property pollution and how it can be exploited in cases where user input isn't sanitized before being passed into library code that isn't safe.
The proof of concept was just an example of what could happen in a specific case where Next.js and AMP was used, that would pass query parameters directly into the getServerSideProps through the unflatten function, as a way to run arbitrary code on the web server.
@@dealloc Thanks for the clarification. I Really appreciate it, but still I'm amazed of people who actually discover these exploits or vulnerabilities for the first time. How they think, how they do stuff amazes me.
@@hesh1700 inspiration from other vuln types, knowledge of building/coding stuff from scratch (you're a dev) and the time to sit around playing with things your interested (or are paid well) to research.
In the end, the attached HAS to pollute the code on the server for this to work.
Subscribed to your channel a while ago because you discussed interesting topics outside of my primary area of interest. As a front end React developer, I'd never thought I'd see a video on your channel that cut so close to home. This is absolutely excellent information to know. omg thank you so much for this video!
Totally agreed! This video earned him my sub. Interesting to watch his other videos.
there’s fun depth to the “everything is an object” thing, basically amounting to “mostly everything is an object”
This channel is gonna touch millions soon. Every video you create makes me curious about how it all can be broken down and easily hijacked. i love the graphics , very neat and clean.
This is excellent work. So refreshing to find a clear, concise description of tricky topics. Thank you for the work this video took, it was well worth it.
This genuinely is the only thing that made me understand objects. Thank you so so much!
Lol I have always thought prototype pollutions as an annoyance but you have shown that batshit libraries can make it basically an RCE, goddamnit
Excellent video and explanation!
In my opinion, prototype issues shouldn’t be the module’s issue (i.e flat isn’t vulnerable). It’s the incorrect usage of the module that causes the vulnerability. This is like saying a MySQL library is vulnerable because it allows the programmer to pass unsanitized user input. Putting this responsibility on the module is something I’ve noticed more in JS since npm started it’s automatic “audits” on module installs.
This is a great example. Will def be thinking about properly blocking prototype chain traverse while coding.
Billion Dollar Companies: Spending Millions on patching vulnerabilities
Also Billion Dollar Companies: Shipping Frameworks that sideload code from a CDN and run it on your server without further checks just to save the developer 5 Minutes of thinking.
Addendum: I agree that in this case, the root cause is not the framework itself. However, it is a contributor to the issue and the CDN simply being compromised is another very possible and very unnecessary attack vector that using it adds to your application.
@@cybroxde Yeah, it looks quite insane to me to yolo-execute arbitrary code from a URL without verifying it via their public key with asymmetric cryptography. But AMP is evil anyways, so not too surprised they also added backdoors to servers that comply with them
How well does the automated search for exploits actually work? What is the chance that a given exploit is detected? What I do know out of experience is that most exploits have been there for a pretty long time, and that 'there always are exploits'.
It scans for already known vulnerabilities. While there are ways to use somewhat scan for possible vulnerabilities with static analysis and checking for common flaws. But the best known solution is to check against a database of known vulnerabilities, that have been discovered and reported by people.
@@dealloc Hm well now I think of it, it should be pretty easy if you just look for outdated libraries which is dogwork for humans but very systematically approachable in some areas I think. This could for example be used in combination with the Log4jl REC exploit, where basically logging any user input in an outdated library is 'lethal'.
What I also do know is that my friend actually tried InteliJ"s search to try to find a recent minecraft server crashing exploit. This exploit had been around for a few years in some, and is in the interest of some very hackerous communities. (shulker box dispenser world height exploit, 'hackerous communities' meaning 2b2t)
@@gimmethedata4256 The issue is not so much to look up dependencies of libraries, that's easy. The hard part is finding the vulnerability in the original library or code where it originates. Any software the relies on code that has vulnerabilities will also inherit those vulnerabilities. But the severity depends on where and how it's used. So it doesn't mean that software that uses a library with vulnerabilities is itself vulnerable if the it's used in places that aren't exploitable.
In the case of Log4Shell it is a severe vulnerability for any library and code that passes any user input, but not so much if it doesn't.
This is sometimes a problem with automated systems as most of the results can be false positives, especially when scanning development-only environments. It adds a lot of noise and can hide the real threats that appear in code that interfaces with user and other external sources.
@@dealloc Yeah, but finding which things use the lib is already 20% of the most boring part of the work. I agree, it is rly hard to determine systematically whether or not something is an exploit, for therefore you first need to define what user input is. I agree that is really hard.
Ig everything that goes through netty can be regarded as 'user input', but there I bet there are tons of ways to connect to netty so that is already a problem. Then you have also got libraries on top of the netty stuff ... then you need some algorithm to follow the stack trace of the user input and 'understand' a lot of internal functions, and how they change the user input.
It is also kinda tricky to determine whether or not something is an exploit, I mean for RCE it should be pretty easy, but for teleportation exploits in game it is hard. But hey, even if you find 1% of the exploits systematically, then that is still an absolute win. I mean it is really 1% * times a thousand projects times 10 hidden exploits per project ... That's still a 100 exploits. So therefore I think you should focus on the easily systematically detectable exploits.
Would you wanna collaborate on something like that?
hobrin#4694
Thats why I name my variables Yoda style, instead of isAdmin I put AdminIs
yesAdmin = 'is';
> "everything is an object"
> getting "undefined is not an object" all day long
Fun fact, you used to be able to overwrite undefined to a different value in JS... IIRC it was just window.undefined = true and suddenly everything breaks down
A class is like a blue print meanwhile a object is a building i guess
Pwn: a class is basically a structure.
C#: so a structure is basically a class.
Being someone who recently figured out OOP in JavaScript and wrote a blog to share my knowledge, i rly loved this vid and it made soooo much sense to me
I liked your presentation and animation skills
Appreciate your work man! Nice video
off topic but it's a thing I learned today, in css you can honour text dpi by simply using the "in" unit on :root font-size then use rem everywhere else
nc
The Self language pioneered objects without classes. Javascript continued that capability.
Damn whenever i feel i know everything in js and then i see something like this which blows my mind..so many more things to learn
Whoever though that flattening user input object into your codebase is alright, and that runContext is going to make better companion than eval?
Yet another reason to switch over Sapper and other Svelte minimalistic solutions, in my opinion.
This channel is _awesome_ man! I've just discovered it and I love it! Great work.
node can be a nightmare if not done properly right. Keep an eye on package vulnerabilities or jump ship to stable backend scripts like php and python. Not saying they are secure but you have less to worry about.
Same kind of stuff happens in python and Php. Take a look at either language’ eval function. You should only ever use these kind of functions if you are 100% sure what you are doing is safe, but mostly this is mission impossible
Finally a new video I always learn so much
Gonna refer my buddies to learn OOP from this wholesome vid
Wow i am not a developer but a light bullb watching your video(s) with a mind blown effect. Thanks for the clear and understandable explanation why and how a exploit works. now i need to check my ops team if they actually manage exploits like these in general.
Hey PwnFunction, just wanted to ask how do you make these videos. It looks really cool especially the drawing thing
Great content an keep it up 💪
This is true black magic. Love it!
Damn you!!! I swore I’d never learn js, but now I know how to make js classes 😭
Hey! Awesome video btw. Loved it thoroughly 🙌🎉
Your Logo is OP!! + the explanation ( Can you make react videos maybe in the future if you know ) ?
more prototype pollution please :)
"Everything in JavaScript is an object" - well no, not everything, forget that immediately
technically yes, just not the same type of object, but they all have common superclass
@@vanjazed7021 no, seriously. The fact that you can invoke methods on a string literal does not mean that strings are objects, it's merely a convenience mechanism. Strings are passed by value and their "typeof" is not object, so they really are primitive (just like numbers, bools, undefined and null)
missed ya, master pwnfunction. thx for the post. happy holidays. 🌟
Happy holidays to you too :)
Stateful server side rendering is the root of all evil.
im here at 113k subs, and I'll be here for the 1 mil subs. great content ❤️
Binge watching your vids! Great content btw💕
Do share a link to your IDE plugins. Digging the layout.
Check the description :)
Awesome video as a life long hacker i am always amazed however much things change they stay the same.
I llike the whole, "Eminem is a square" analogy.
Thanks again @PwnFunction hahaha I'll create a list of your repos lol.
Oh god I gotta run snyk against my codebase now
The rectangle class is an object
great video man, what's your terminal configs btw
12:20 👀👀 Don't to worry child, oh fu*k
great video! what next.js version is this bug on? have you reported that to vercel?
*Me in C programming procedural code, offline*: now this is safety
You earned a sub ;) (and a disc member too :))
bro i really love your content . especially the way you teach 🔥🔥🔥🔥😍😍😍😍💘💘
Man this is gold. Thanks!
Thank you for tNice tutorials! I've been trying to figure the software out on my own for a wNice tutorialle, and it's horribly confusing. TNice tutorials is the only guide video
3:40 i just put 2x speed and you say "eminem"
Amazing video! BTW what's the font?
Is it the channel of LiveOverflow's little brother?
how did you know 👀
@@PwnFunction you've been pwned
finally, something interesting popped up in my recommended
how did u make yor VScode look so good
Pure gold, thank you!!!
great video as usual
I don't have familiarity with next.js and I guess readers who do have that understand where in your talk you refer to where a user could cause their arbitrary code to be executed on the server side, but for me, you blow through that very quickly and I don't understand or hear where you explain that. But I guess the bottom line of what you are saying here is that something about next.js or some common way to use it opens such a vulnerability.
Learnt something new, nice vid
Does this work even when dependencies are minified or do the object properties need to match the names in the objects exactly?
did next or amp peps at least patch this? but I guess it's not next or amp vulnerability but the flatten modules
I know many people have already made videos abou it, but I really wanted to see youir video about Log4j vulnerability. I wanted to see your opinion as a security researcher, please, if you can, make a video about it.
Welcome back!
Awesome work!
glad your back
I love tne way you explain
are you able to access the base object because it was a global variable? would namespacing protect against this?
The base "Object" is always global.
what did you use to animate this video? edit software?
Which screen recorder do you use bro?
HTML Injection explained pls!!
what is the whiteboard software u using ?
can we do a video where you don’t explain the entirety of OOP beforehand
I really appreciate your explanations and know this is subjective: But personally I would prefer if you assumed some basic knowledge about a subject and then explain the topic you want rather than explaining everything from the ground up. The explanation for classes, objects, and members felt a little bit underwhelming for the video at hand. That being said, your explanation there was, as always, wonderful, along with the rest of the video!
Thanks! I'll apply that next time. A bunch of people also told me the same thing. I appreciate the feedback.
@@PwnFunction I really appreciated and enjoyed how it was broken down and explained.
Subscribed and liked as well!
Consider putting in timestamps so people who already know it can skip ahead easily and beginners can still watch the basic stuff
@@PwnFunction btw what colorscheme you're using in vscode in this video, sir? mine is the default and not really that colorful...
I polluted my pants
It seems REALLY dumb that JS lets you add things to objects that aren't in the class and add things to both ON THE FLY. I can see uses for this, but none of them need this feature and it adds looks to add so many risks.
This was heavily used for something called polyfills. Basically, if the browser doesn’t support a JS feature (or its implementation is buggy) you can conditionally add it to the language yourself. It’s used a lot less in modern code supporting modern clients. It’s also pretty useless for business logic.
It was great for JavaScript because the number of runtimes that many projects supported. This would be a lot less useful in a compiled language because you know the compiler you’re targeting and the features it supports.
Please , teach us how to understand and debug code like you
This is awesome!
Not everything in JavaScript is an object. Most things are but not everything.
I like the penguin
Nice explanation
I'm a bit confused about how the getServerProps is actually exploited, in the example, it's not even receiving data from the url query, also, even if it was, the only prop being returned is the one we actually want, can someone kindly point out which part of the process am I missing?
I'm guessing the unflatten function itself does something to the input that overrides the global Object's __prototype__. Don't even need to return the value
How to fix most web exploits: get rid of the overuse of JavaScript and set a strict CSP. Can't exploit users if no JavaScript is run.
This exploit is entirely server side, so csp isn’t gonna do jack
So naïve...
I never knew that you could just add random new variables into objects into Javascript. What an abomination
Well done 💪
What terminal is that??
2:00 does this mean C structs can be classes
Before C++ was called C++, it was called "C with classes". The classes were a minor enhancement over structures.
(proceeds to continue)
No idea what’s happening but I like it.
thanks alot
"Everything in Javascript is an object?" E.g. primitives like boolean, string, number are not objects.
Same for functions
npm audit fix --force
One day i will understand this video fully :) Thank you for sharing such an awesome content .
Awesome!!
oop I am first lol that is cool loving your channel so far though!
Haha good eye. The video isn't supposed to be out this soon XD.
@@PwnFunction haha oops
gg
gg
I tried your repo. After polluting the prototype like you do at 10:54 I get the 404 but if I try to go to localhost:3000 I still get 404 so I guess the global namespace did not get polluted in my case?
This is horrifying. Why do people still write code in JavaScript?