Search This Blog

Powered by Blogger.

Blog Archive

Labels

Prototype Pollution-like Bug Variant Found in Python

Researcher discovers Python-specific variant of prototype pollution. Other class-based programming languages may also be exposed to similar threats.


Prototype Pollution

Prototype pollution is a severe vulnerability class associated with prototype-based languages, the most popular among them being JavaScript. 

However, a researcher has discovered Python-specific variants of prototype pollution, and other class-based programming languages may also be exposed to similar threats. 

With prototype pollution, a threat actor may access and control the default values of an object’s properties. In addition to allowing the attacker to alter the application's logic, this can also result in denial-of-service attacks or, in severe cases, remote code execution. 

From Prototype Pollution to Class Pollution 

In JavaScript, each object inherits the ‘prototype’ of the parent object, which includes all the functions and characteristics of that object. JavaScript objects can access the functionality of their parents by traversing their prototypes. 

In the course of runtime, the prototype could as well be modified, making JavaScript dynamic and flexible but also dangerous. Prototype pollution attacks utilize and exploit this characteristic in order to modify the behavior of JavaScript applications and to conduct malicious activities. It is claimed that class-based languages like Python are resistant to such manipulations. 

However, security researcher Abdulraheem Khaled has come across a coding scheme that can enable threat actors to conduct prototype pollution-like attacks on Python programs. He has labeled it as ‘class pollution’ in a blog post documenting his findings. 

In regards to the findings, he told The Daily Swig that he discovered the attack while attempting to translate the concepts of JavaScript prototype pollution to Python. 

Manipulating Python Classes 

In order to exploit Python objects, the attacker is required to have an entry point that utilizes the user input to set the attributes of an object. If the user input succeeds in determining both the attribute name and value, the attacker can then exploit it to alter the program’s behavior. 

“The key factor to look for is whether the application uses unsanitized user-controllable input to set attributes of an object (controlling the attribute name to be set and its value) or not,” states Khaled to The Daily Swig. 

Attackers may be able to access parent classes, global variables, and more if the target method employs recursive loops to traverse over the object's characteristics. This merge is deemed "unsafe" by Khaled. 

An attacker could, for instance, alter command strings that the system executes, manipulate the value of important variables, or start denial of service (DoS) attacks by rendering crucial classes dysfunctional.

All Python Applications are Vulnerable 

According to the security researcher, all types of Python applications are vulnerable to these exploits as long as they continue accepting contaminated user input and implement a form of object attribute assignment that is ‘unsafe’. 

In his investigation, he came across various instances where popular Python libraries had an unsafe merge function, which then exposed them to class pollution attacks.

The simplest of all impacts of class pollution would be DoS. Although, these attacks may have much greater and more severe impacts on Python online apps. 

“Prototype pollution is definitely one of the topics that deserve more attention from the community, and we started to see more focus on it recently […] Class pollution might be a new vulnerability that has just come to light, [but] I expect to see it in other programming languages soon,” Khaled concluded.  

Share it:

Class Pollution

Dos Attacks

JavaScript

JavaScript exploit

Prototype Pollution

python

Vulnerabilities and Exploits