Prototype pollution vulnerability

[cee-chen]

👋 I know this repo is probably no longer maintained - I'm opening this issue for others out there on the internet who still might be using $.deparam and care about this sort of thing. You can grab the fix in my PR here: #61

To be clear also: If you care about security/prototype pollution and using jQuery BBQ, you should be on jQuery 3.4.0+ (and using one of the open PRs to enable jQuery 3 compatibility, e.g. #48 or #42). Otherwise you'll still be vulnerable to pollution via $.extend.

If you're continuing to use jQuery BBQ in production, I recommend maintaining your own fork with #48 and #61 merged/cherry-picked. You'll have to uglify/compress your own final output, but there are online YUI compressors you can easily use.

Reproducing

To see the prototype pollution in action:

• http://benalman.com/code/projects/jquery-bbq/examples/deparam/?__proto__[test]=polluted
• http://benalman.com/code/projects/jquery-bbq/examples/deparam/?someObj[__proto__][test]=polluted
  • Open your browser console and enter ({}).test. Note that it now outputs "polluted".

Why does it matter?

Check the following more malicious examples:

• http://benalman.com/code/projects/jquery-bbq/examples/deparam/?__proto__[hasOwnProperty]=true
  • We've hijacked .hasOwnProperty for every single obj instance on the page.
• http://benalman.com/code/projects/jquery-bbq/examples/deparam/?__proto__[test]=alert(%27hi%27)
  • Run eval({}.test) in your console - this is a potential XSS vector for sites that eval() on user parameters (hopefully none or very few).

Further reading on prototype pollution:

• https://stackoverflow.com/a/60850027/4294462
• https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/

[mhofman]

FYI, doing Object.create(null) isn't enough as there are other ways to get at the Object.prototype. jQuery fixed this by preventing any __proto__ key part.

For example, here are other vulnerable query strings:
foo[0]=bar&foo[__proto__][__proto__][test]=polluted
foo=bar&foo=baz&foo[__proto__][__proto__][test]=polluted
foo=bar&foo[__proto__][__proto__][test]=polluted

[zifeng-kang]

Hi there,

Unfortunately in https://github.com/cowboy/jquery-bbq/blob/master/jquery.ba-bbq.min.js the prototype pollution is still there and can be launched from the client side (different from the above case which seems to be launched from the server side).

Just check the codes "R=R[S]=P<Q?R[S]||(U[P+1]&&isNaN(U[P+1])?{}:[]):M" in that file. Object.prototype is polluted when some website vulnerable.com is using this library and someone visits https://vulnerable.com/?__proto__[Key]=pollute. Hopefully you can patch that line of code.

Actually I have discovered 6 real-world websites that are using this library and hence having this vulnerability. But I'm not going to disclose them here for the sake of their security. Thanks!

[mzjoker85]

hello, i already reflected this xss on the client website,
Object.prototype.div=['1','']
$('

')
when i use this snippet in browser console it popup a screen "1" .
now it create self xss, i need to draft the code to exploit user upon click.
BugBountyTIP.

[marcovtwout]

Appearantly a CVE was already created for this in 2021: https://www.cve.org/CVERecord?id=CVE-2021-20086