Hackers can remotely use Hidden Property Abusing (HPA) attack to inject new values into Node.js Apps
A team comprising of security researchers from the Georgia Institute of Technology and Texas A&M University have discovered a way to exploit Node.js Apps by manipulating the hidden properties feature. The security team has named this Node.js threat vector as Hidden Property Abusing(HPA) and it can be used to manipulating the Node.js hidden properties feature that is used to track internal program states.
The team will be demonstrating the Hidden Property Abusing (HPA) attack at the virtual Black Hat security conference next week. They will demonstrate how an HPA attack can be used by potential hackers to exploit Node.js Apps to launch denial of service(DoS) attack, bypass security restrictions, and steal confidential information.
Hidden Property Abusing attack allows potential hackers to remotely inject new values into Node.js programs through passing objects. Node.js normally treats such values as internal data and HPA exploits this very feature. Hidden Property Abusing abuses the Node.js developers’ assumption that the internal program states are unreachable by an external attacker. The root cause of the problem is that “[a]fter the input data is converted to objects, Node.js treats them as legitimate objects like any other internal ones,” the researchers state.
When the team designed a tool called LYNX to study HPA exploits on 60 major Node.js components, they found 13 HPA zero-day vulnerabilities that can be exploited in any Node.Js App. The vulnerabilities range from SQL injection to the ability to bypass input validation. The security researchers stated that 12 of the 13 vulnerabilities discovered by them have been assigned unique CVE identifiers. The team added that they have informed the Node.js dev team about the vulnerabilities and are working with them to release the patches for them.
The team says that their LYNX tool utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. The team will release the LYNX tool at the virtual Black Hat Conference.