One researcher, however, has found a variant of prototype pollution that is applicable to Python, while other class-based programming languages might also be vulnerable to similar attacks.
From prototype pollution to class pollution
Class-based languages such as Python are supposedly immune to such manipulations.
LIKE THIS KIND OF CONTENT? Tell us about your experience of The Daily Swig to win swag
However, security researcher Abdulraheem Khaled has discovered a coding scheme that can allow attackers to perform prototype pollution-like attacks on Python programs. He calls it ‘class pollution’ in a blog post documenting his findings.
Manipulating Python classes
In order to pollute Python objects, the attacker needs an entry point that uses user input to set the attributes of an object. If the user input determines both the attribute name and value, then an attacker can exploit it to manipulate the program’s behavior.
“The key factor to look for is whether the application uses unsanitized user-controllable input to set attributes of an object (controlling the attribute name to be set and its value) or not,” Khaled told The Daily Swig.
If the target function uses recursive loops to traverse the object’s attributes, then the attacker can potentially gain access to parent classes, global variables, and more. Khaled calls this an “unsafe merge”.
For example, an attacker can use such functionality to modify command strings executed by the system, change the value of sensitive variables, and trigger denial of service attacks (DoS) by making critical classes dysfunctional.
However, Khaled found that the vulnerable merge function might enable attackers to overcome this limitation by giving them access to global in-app variables and other classes defined in the Python program or imported modules.
Class pollution in the wild
Khaled said that all kinds of Python applications can be vulnerable to this type of attack as long as they take unsanitized user input and implement a form of unsafe object attribute assignment.
During his investigations, he found several instances of popular Python libraries that had an unsafe merge function exposing them to class pollution attacks.
The minimum impact of class pollution would be DoS. But attacks could potentially have deeper effects on Python web applications such as:
- Overwriting the secret key used to sign sessions in Flask web applications and manually crafting valid sessions to stage account takeover attacks
- Circumventing filters – for example bypassing the path traversal prevention implemented in Jinja when trying to load a template file. This leads to local file disclosure and inclusion by enabling attackers to load files from any local directory without being restricted to the templates directory
- Remote command execution, by overwriting COMSPEC or PATH environment variables
“Prototype pollution is definitely one of the topics that deserve more attention from the community, and we started to see more focus on it recently,” Khaled said.
“Class pollution might be a new vulnerability that has just come to light, [but] I expect to see it in other programming languages soon.”
YOU MAY ALSO LIKE Devs urged to rotate secrets after CircleCI suffers security breach