This was a proof of concept. The real vulnerability shown is the property pollution and how it can be exploited in cases where user input isn't sanitized before being passed into library code that isn't safe. The proof of concept was just an example of what could happen in a specific case where Next.js and AMP was used, that would pass query parameters directly into the getServerSideProps through the unflatten function, as a way to run arbitrary code on the web server.
@@dealloc Thanks for the clarification. I Really appreciate it, but still I'm amazed of people who actually discover these exploits or vulnerabilities for the first time. How they think, how they do stuff amazes me.
@@hesh1700 inspiration from other vuln types, knowledge of building/coding stuff from scratch (you're a dev) and the time to sit around playing with things your interested (or are paid well) to research.
Subscribed to your channel a while ago because you discussed interesting topics outside of my primary area of interest. As a front end React developer, I'd never thought I'd see a video on your channel that cut so close to home. This is absolutely excellent information to know. omg thank you so much for this video!
This channel is gonna touch millions soon. Every video you create makes me curious about how it all can be broken down and easily hijacked. i love the graphics , very neat and clean.
This is excellent work. So refreshing to find a clear, concise description of tricky topics. Thank you for the work this video took, it was well worth it.
Excellent video and explanation! In my opinion, prototype issues shouldn’t be the module’s issue (i.e flat isn’t vulnerable). It’s the incorrect usage of the module that causes the vulnerability. This is like saying a MySQL library is vulnerable because it allows the programmer to pass unsanitized user input. Putting this responsibility on the module is something I’ve noticed more in JS since npm started it’s automatic “audits” on module installs.
Billion Dollar Companies: Spending Millions on patching vulnerabilities Also Billion Dollar Companies: Shipping Frameworks that sideload code from a CDN and run it on your server without further checks just to save the developer 5 Minutes of thinking.
Addendum: I agree that in this case, the root cause is not the framework itself. However, it is a contributor to the issue and the CDN simply being compromised is another very possible and very unnecessary attack vector that using it adds to your application.
@@cybroxde Yeah, it looks quite insane to me to yolo-execute arbitrary code from a URL without verifying it via their public key with asymmetric cryptography. But AMP is evil anyways, so not too surprised they also added backdoors to servers that comply with them
Fun fact, you used to be able to overwrite undefined to a different value in JS... IIRC it was just window.undefined = true and suddenly everything breaks down
How well does the automated search for exploits actually work? What is the chance that a given exploit is detected? What I do know out of experience is that most exploits have been there for a pretty long time, and that 'there always are exploits'.
It scans for already known vulnerabilities. While there are ways to use somewhat scan for possible vulnerabilities with static analysis and checking for common flaws. But the best known solution is to check against a database of known vulnerabilities, that have been discovered and reported by people.
@@dealloc Hm well now I think of it, it should be pretty easy if you just look for outdated libraries which is dogwork for humans but very systematically approachable in some areas I think. This could for example be used in combination with the Log4jl REC exploit, where basically logging any user input in an outdated library is 'lethal'. What I also do know is that my friend actually tried InteliJ"s search to try to find a recent minecraft server crashing exploit. This exploit had been around for a few years in some, and is in the interest of some very hackerous communities. (shulker box dispenser world height exploit, 'hackerous communities' meaning 2b2t)
@@gimmethedata4256 The issue is not so much to look up dependencies of libraries, that's easy. The hard part is finding the vulnerability in the original library or code where it originates. Any software the relies on code that has vulnerabilities will also inherit those vulnerabilities. But the severity depends on where and how it's used. So it doesn't mean that software that uses a library with vulnerabilities is itself vulnerable if the it's used in places that aren't exploitable. In the case of Log4Shell it is a severe vulnerability for any library and code that passes any user input, but not so much if it doesn't. This is sometimes a problem with automated systems as most of the results can be false positives, especially when scanning development-only environments. It adds a lot of noise and can hide the real threats that appear in code that interfaces with user and other external sources.
@@dealloc Yeah, but finding which things use the lib is already 20% of the most boring part of the work. I agree, it is rly hard to determine systematically whether or not something is an exploit, for therefore you first need to define what user input is. I agree that is really hard. Ig everything that goes through netty can be regarded as 'user input', but there I bet there are tons of ways to connect to netty so that is already a problem. Then you have also got libraries on top of the netty stuff ... then you need some algorithm to follow the stack trace of the user input and 'understand' a lot of internal functions, and how they change the user input. It is also kinda tricky to determine whether or not something is an exploit, I mean for RCE it should be pretty easy, but for teleportation exploits in game it is hard. But hey, even if you find 1% of the exploits systematically, then that is still an absolute win. I mean it is really 1% * times a thousand projects times 10 hidden exploits per project ... That's still a 100 exploits. So therefore I think you should focus on the easily systematically detectable exploits. Would you wanna collaborate on something like that? hobrin#4694
Being someone who recently figured out OOP in JavaScript and wrote a blog to share my knowledge, i rly loved this vid and it made soooo much sense to me
Wow i am not a developer but a light bullb watching your video(s) with a mind blown effect. Thanks for the clear and understandable explanation why and how a exploit works. now i need to check my ops team if they actually manage exploits like these in general.
node can be a nightmare if not done properly right. Keep an eye on package vulnerabilities or jump ship to stable backend scripts like php and python. Not saying they are secure but you have less to worry about.
Same kind of stuff happens in python and Php. Take a look at either language’ eval function. You should only ever use these kind of functions if you are 100% sure what you are doing is safe, but mostly this is mission impossible
@@vanjazed7021 no, seriously. The fact that you can invoke methods on a string literal does not mean that strings are objects, it's merely a convenience mechanism. Strings are passed by value and their "typeof" is not object, so they really are primitive (just like numbers, bools, undefined and null)
Whoever though that flattening user input object into your codebase is alright, and that runContext is going to make better companion than eval? Yet another reason to switch over Sapper and other Svelte minimalistic solutions, in my opinion.
Thank you for tNice tutorials! I've been trying to figure the software out on my own for a wNice tutorialle, and it's horribly confusing. TNice tutorials is the only guide video
I know many people have already made videos abou it, but I really wanted to see youir video about Log4j vulnerability. I wanted to see your opinion as a security researcher, please, if you can, make a video about it.
I'm a bit confused about how the getServerProps is actually exploited, in the example, it's not even receiving data from the url query, also, even if it was, the only prop being returned is the one we actually want, can someone kindly point out which part of the process am I missing?
I'm guessing the unflatten function itself does something to the input that overrides the global Object's __prototype__. Don't even need to return the value
off topic but it's a thing I learned today, in css you can honour text dpi by simply using the "in" unit on :root font-size then use rem everywhere else
I really appreciate your explanations and know this is subjective: But personally I would prefer if you assumed some basic knowledge about a subject and then explain the topic you want rather than explaining everything from the ground up. The explanation for classes, objects, and members felt a little bit underwhelming for the video at hand. That being said, your explanation there was, as always, wonderful, along with the rest of the video!
I don't have familiarity with next.js and I guess readers who do have that understand where in your talk you refer to where a user could cause their arbitrary code to be executed on the server side, but for me, you blow through that very quickly and I don't understand or hear where you explain that. But I guess the bottom line of what you are saying here is that something about next.js or some common way to use it opens such a vulnerability.
I tried your repo. After polluting the prototype like you do at 10:54 I get the 404 but if I try to go to localhost:3000 I still get 404 so I guess the global namespace did not get polluted in my case?
My bad, it's "Almost everything is an object".
hehe .. me not like use front end server thou
@@daruiraikage he meant almost everything in Javascript is an object.
"dont let the feminists see this" haha ... btw really cool work brother
So... everything in python is a cat ;)
I watched 2 of your videos and I realized how fucked we're gonna be when the world goes full digital.....
1 question. "How?" That's a lot of content to keep track of to make this work. Seriously though, your work is awesome and I learned a lot from it.
This was a proof of concept. The real vulnerability shown is the property pollution and how it can be exploited in cases where user input isn't sanitized before being passed into library code that isn't safe.
The proof of concept was just an example of what could happen in a specific case where Next.js and AMP was used, that would pass query parameters directly into the getServerSideProps through the unflatten function, as a way to run arbitrary code on the web server.
@@dealloc Thanks for the clarification. I Really appreciate it, but still I'm amazed of people who actually discover these exploits or vulnerabilities for the first time. How they think, how they do stuff amazes me.
@@hesh1700 inspiration from other vuln types, knowledge of building/coding stuff from scratch (you're a dev) and the time to sit around playing with things your interested (or are paid well) to research.
In the end, the attached HAS to pollute the code on the server for this to work.
Subscribed to your channel a while ago because you discussed interesting topics outside of my primary area of interest. As a front end React developer, I'd never thought I'd see a video on your channel that cut so close to home. This is absolutely excellent information to know. omg thank you so much for this video!
Totally agreed! This video earned him my sub. Interesting to watch his other videos.
This channel is gonna touch millions soon. Every video you create makes me curious about how it all can be broken down and easily hijacked. i love the graphics , very neat and clean.
there’s fun depth to the “everything is an object” thing, basically amounting to “mostly everything is an object”
This is excellent work. So refreshing to find a clear, concise description of tricky topics. Thank you for the work this video took, it was well worth it.
This genuinely is the only thing that made me understand objects. Thank you so so much!
Appreciate your work man! Nice video
Excellent video and explanation!
In my opinion, prototype issues shouldn’t be the module’s issue (i.e flat isn’t vulnerable). It’s the incorrect usage of the module that causes the vulnerability. This is like saying a MySQL library is vulnerable because it allows the programmer to pass unsanitized user input. Putting this responsibility on the module is something I’ve noticed more in JS since npm started it’s automatic “audits” on module installs.
This channel is _awesome_ man! I've just discovered it and I love it! Great work.
This is a great example. Will def be thinking about properly blocking prototype chain traverse while coding.
I liked your presentation and animation skills
Billion Dollar Companies: Spending Millions on patching vulnerabilities
Also Billion Dollar Companies: Shipping Frameworks that sideload code from a CDN and run it on your server without further checks just to save the developer 5 Minutes of thinking.
Addendum: I agree that in this case, the root cause is not the framework itself. However, it is a contributor to the issue and the CDN simply being compromised is another very possible and very unnecessary attack vector that using it adds to your application.
@@cybroxde Yeah, it looks quite insane to me to yolo-execute arbitrary code from a URL without verifying it via their public key with asymmetric cryptography. But AMP is evil anyways, so not too surprised they also added backdoors to servers that comply with them
Lol I have always thought prototype pollutions as an annoyance but you have shown that batshit libraries can make it basically an RCE, goddamnit
Finally a new video I always learn so much
Pwn: a class is basically a structure.
C#: so a structure is basically a class.
> "everything is an object"
> getting "undefined is not an object" all day long
Fun fact, you used to be able to overwrite undefined to a different value in JS... IIRC it was just window.undefined = true and suddenly everything breaks down
Binge watching your vids! Great content btw💕
How well does the automated search for exploits actually work? What is the chance that a given exploit is detected? What I do know out of experience is that most exploits have been there for a pretty long time, and that 'there always are exploits'.
It scans for already known vulnerabilities. While there are ways to use somewhat scan for possible vulnerabilities with static analysis and checking for common flaws. But the best known solution is to check against a database of known vulnerabilities, that have been discovered and reported by people.
@@dealloc Hm well now I think of it, it should be pretty easy if you just look for outdated libraries which is dogwork for humans but very systematically approachable in some areas I think. This could for example be used in combination with the Log4jl REC exploit, where basically logging any user input in an outdated library is 'lethal'.
What I also do know is that my friend actually tried InteliJ"s search to try to find a recent minecraft server crashing exploit. This exploit had been around for a few years in some, and is in the interest of some very hackerous communities. (shulker box dispenser world height exploit, 'hackerous communities' meaning 2b2t)
@@gimmethedata4256 The issue is not so much to look up dependencies of libraries, that's easy. The hard part is finding the vulnerability in the original library or code where it originates. Any software the relies on code that has vulnerabilities will also inherit those vulnerabilities. But the severity depends on where and how it's used. So it doesn't mean that software that uses a library with vulnerabilities is itself vulnerable if the it's used in places that aren't exploitable.
In the case of Log4Shell it is a severe vulnerability for any library and code that passes any user input, but not so much if it doesn't.
This is sometimes a problem with automated systems as most of the results can be false positives, especially when scanning development-only environments. It adds a lot of noise and can hide the real threats that appear in code that interfaces with user and other external sources.
@@dealloc Yeah, but finding which things use the lib is already 20% of the most boring part of the work. I agree, it is rly hard to determine systematically whether or not something is an exploit, for therefore you first need to define what user input is. I agree that is really hard.
Ig everything that goes through netty can be regarded as 'user input', but there I bet there are tons of ways to connect to netty so that is already a problem. Then you have also got libraries on top of the netty stuff ... then you need some algorithm to follow the stack trace of the user input and 'understand' a lot of internal functions, and how they change the user input.
It is also kinda tricky to determine whether or not something is an exploit, I mean for RCE it should be pretty easy, but for teleportation exploits in game it is hard. But hey, even if you find 1% of the exploits systematically, then that is still an absolute win. I mean it is really 1% * times a thousand projects times 10 hidden exploits per project ... That's still a 100 exploits. So therefore I think you should focus on the easily systematically detectable exploits.
Would you wanna collaborate on something like that?
hobrin#4694
Great content an keep it up 💪
Hey! Awesome video btw. Loved it thoroughly 🙌🎉
A class is like a blue print meanwhile a object is a building i guess
Thats why I name my variables Yoda style, instead of isAdmin I put AdminIs
yesAdmin = 'is';
missed ya, master pwnfunction. thx for the post. happy holidays. 🌟
Happy holidays to you too :)
Being someone who recently figured out OOP in JavaScript and wrote a blog to share my knowledge, i rly loved this vid and it made soooo much sense to me
Wow i am not a developer but a light bullb watching your video(s) with a mind blown effect. Thanks for the clear and understandable explanation why and how a exploit works. now i need to check my ops team if they actually manage exploits like these in general.
Damn whenever i feel i know everything in js and then i see something like this which blows my mind..so many more things to learn
Gonna refer my buddies to learn OOP from this wholesome vid
Your Logo is OP!! + the explanation ( Can you make react videos maybe in the future if you know ) ?
im here at 113k subs, and I'll be here for the 1 mil subs. great content ❤️
You earned a sub ;) (and a disc member too :))
This is true black magic. Love it!
more prototype pollution please :)
Hey PwnFunction, just wanted to ask how do you make these videos. It looks really cool especially the drawing thing
great video as usual
Man this is gold. Thanks!
bro i really love your content . especially the way you teach 🔥🔥🔥🔥😍😍😍😍💘💘
Do share a link to your IDE plugins. Digging the layout.
Check the description :)
The Self language pioneered objects without classes. Javascript continued that capability.
Pure gold, thank you!!!
Learnt something new, nice vid
Damn you!!! I swore I’d never learn js, but now I know how to make js classes 😭
Awesome video as a life long hacker i am always amazed however much things change they stay the same.
Awesome work!
I llike the whole, "Eminem is a square" analogy.
glad your back
Stateful server side rendering is the root of all evil.
finally, something interesting popped up in my recommended
Welcome back!
great video! what next.js version is this bug on? have you reported that to vercel?
node can be a nightmare if not done properly right. Keep an eye on package vulnerabilities or jump ship to stable backend scripts like php and python. Not saying they are secure but you have less to worry about.
Same kind of stuff happens in python and Php. Take a look at either language’ eval function. You should only ever use these kind of functions if you are 100% sure what you are doing is safe, but mostly this is mission impossible
"Everything in JavaScript is an object" - well no, not everything, forget that immediately
technically yes, just not the same type of object, but they all have common superclass
@@vanjazed7021 no, seriously. The fact that you can invoke methods on a string literal does not mean that strings are objects, it's merely a convenience mechanism. Strings are passed by value and their "typeof" is not object, so they really are primitive (just like numbers, bools, undefined and null)
Thanks again @PwnFunction hahaha I'll create a list of your repos lol.
12:20 👀👀 Don't to worry child, oh fu*k
great video man, what's your terminal configs btw
Whoever though that flattening user input object into your codebase is alright, and that runContext is going to make better companion than eval?
Yet another reason to switch over Sapper and other Svelte minimalistic solutions, in my opinion.
Amazing video! BTW what's the font?
I love tne way you explain
This is awesome!
Oh god I gotta run snyk against my codebase now
Is it the channel of LiveOverflow's little brother?
how did you know 👀
@@PwnFunction you've been pwned
how did u make yor VScode look so good
did next or amp peps at least patch this? but I guess it's not next or amp vulnerability but the flatten modules
Does this work even when dependencies are minified or do the object properties need to match the names in the objects exactly?
Thank you for tNice tutorials! I've been trying to figure the software out on my own for a wNice tutorialle, and it's horribly confusing. TNice tutorials is the only guide video
what is the whiteboard software u using ?
oop I am first lol that is cool loving your channel so far though!
Haha good eye. The video isn't supposed to be out this soon XD.
@@PwnFunction haha oops
gg
gg
*Me in C programming procedural code, offline*: now this is safety
Which screen recorder do you use bro?
The rectangle class is an object
Well done 💪
Nice explanation
3:40 i just put 2x speed and you say "eminem"
what did you use to animate this video? edit software?
What terminal is that??
2:00 does this mean C structs can be classes
Before C++ was called C++, it was called "C with classes". The classes were a minor enhancement over structures.
are you able to access the base object because it was a global variable? would namespacing protect against this?
The base "Object" is always global.
Please , teach us how to understand and debug code like you
Awesome!!
One day i will understand this video fully :) Thank you for sharing such an awesome content .
I like the penguin
I know many people have already made videos abou it, but I really wanted to see youir video about Log4j vulnerability. I wanted to see your opinion as a security researcher, please, if you can, make a video about it.
No idea what’s happening but I like it.
I'm a bit confused about how the getServerProps is actually exploited, in the example, it's not even receiving data from the url query, also, even if it was, the only prop being returned is the one we actually want, can someone kindly point out which part of the process am I missing?
I'm guessing the unflatten function itself does something to the input that overrides the global Object's __prototype__. Don't even need to return the value
off topic but it's a thing I learned today, in css you can honour text dpi by simply using the "in" unit on :root font-size then use rem everywhere else
nc
HTML Injection explained pls!!
I polluted my pants
waow finally a new video
(proceeds to continue)
I really appreciate your explanations and know this is subjective: But personally I would prefer if you assumed some basic knowledge about a subject and then explain the topic you want rather than explaining everything from the ground up. The explanation for classes, objects, and members felt a little bit underwhelming for the video at hand. That being said, your explanation there was, as always, wonderful, along with the rest of the video!
Thanks! I'll apply that next time. A bunch of people also told me the same thing. I appreciate the feedback.
@@PwnFunction I really appreciated and enjoyed how it was broken down and explained.
Subscribed and liked as well!
Consider putting in timestamps so people who already know it can skip ahead easily and beginners can still watch the basic stuff
@@PwnFunction btw what colorscheme you're using in vscode in this video, sir? mine is the default and not really that colorful...
npm audit fix --force
thanks alot
Thank you
I don't have familiarity with next.js and I guess readers who do have that understand where in your talk you refer to where a user could cause their arbitrary code to be executed on the server side, but for me, you blow through that very quickly and I don't understand or hear where you explain that. But I guess the bottom line of what you are saying here is that something about next.js or some common way to use it opens such a vulnerability.
pretty cool!
Wow! this is a good video
I tried your repo. After polluting the prototype like you do at 10:54 I get the 404 but if I try to go to localhost:3000 I still get 404 so I guess the global namespace did not get polluted in my case?
can we do a video where you don’t explain the entirety of OOP beforehand
I never knew that you could just add random new variables into objects into Javascript. What an abomination
Jesus 😯 really cool hack