Hidden Property Abusing attack allows hackers to exploit any Node.js App


Hackers can remotely use Hidden Property Abusing (HPA) attack to inject new values into Node.js Apps

A team comprising of security researchers from the Georgia Institute of Technology and Texas A&M University have discovered a way to exploit Node.js Apps by manipulating the hidden properties feature. The security team has named this Node.js threat vector as Hidden Property Abusing(HPA) and it can be used to manipulating the Node.js hidden properties feature that is used to track internal program states.

The team comprising of Feng Xiao. Jianwei Huang, Yichang Xiong, Guangliang Yang, Hong Hu, Guofei Gu, and Wenke Lee found that they could exploit the widely used data exchanging feature of JavaScript to tamper critical program states of Node.js programs.

The team will be demonstrating the Hidden Property Abusing (HPA) attack at the virtual Black Hat security conference next week. They will demonstrate how an HPA attack can be used by potential hackers to exploit Node.js Apps to launch denial of service(DoS) attack, bypass security restrictions, and steal confidential information.

Hidden Property Abusing attack allows potential hackers to remotely inject new values into Node.js programs through passing objects. Node.js normally treats such values as internal data and HPA exploits this very feature. Hidden Property Abusing abuses the Node.js developers’ assumption that the internal program states are unreachable by an external attacker. The root cause of the problem is that “[a]fter the input data is converted to objects, Node.js treats them as legitimate objects like any other internal ones,” the researchers state.

The research team says that the HPA attack is similar to the JavaScript Prototype Pollution attack in many ways. In JPP, the threat is about polluting the prototype of a base object which can sometimes lead to arbitrary code execution. In the case of Hidden Property Abusing, however, the prototype is not changed, but the properties inherited from a prototype can be overwritten, the researchers say.

When the team designed a tool called LYNX to study HPA exploits on 60 major Node.js components, they found 13 HPA zero-day vulnerabilities that can be exploited in any Node.Js App. The vulnerabilities range from SQL injection to the ability to bypass input validation. The security researchers stated that 12 of the 13 vulnerabilities discovered by them have been assigned unique CVE identifiers. The team added that they have informed the Node.js dev team about the vulnerabilities and are working with them to release the patches for them.

The team says that their LYNX tool utilizes hybrid program analysis to automatically reveal HPA vulnerabilities and even synthesize exploits. The team will release the LYNX tool at the virtual Black Hat Conference.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments