For better or worse, JavaScript is the cornerstone of modern Web. Prototype-based languages like JavaScript are susceptible to prototype pollution vulnerabilities, enabling an attacker to inject arbitrary properties into an object's prototype. The attacker can subsequently capitalize on the injected properties by executing otherwise benign pieces of code, so-called gadgets, that perform security-sensitive operations. The success of an attack largely depends on the presence of gadgets, leading to high-profile exploits such as privilege escalation and arbitrary code execution (ACE). This paper proposes Dasty, the first semi-automated pipeline to help developers identify gadgets in their applications' software supply chain. Dasty targets server-side Node.js applications and relies on an enhancement of dynamic taint analysis which we implement with the dynamic AST-level instrumentation. Moreover, Dasty provides support for visualization of code flows with an IDE, thus facilitating the subsequent manual analysis for building proof-of-concept exploits. To illustrate the danger of gadgets, we use Dasty in a study of the most dependent-upon NPM packages to analyze the presence of gadgets leading to ACE. Dasty identifies 1,269 server-side packages, of which 631 have code flows that may reach dangerous sinks. We manually prioritize and verify the candidate flows to build proof-of-concept exploits for 49 NPM packages, including popular packages such as ejs, nodemailer and workerpool. To investigate how Dasty integrates with existing tools to find end-to-end exploits, we conduct an in-depth analysis of a popular data visualization dashboard to find one high-severity CVE-2023-31415 leading to remote code execution. For the first time, our results systematically demonstrate the dangers of server-side gadgets and call for further research to solve the problem.

翻译：JavaScript是现代Web的基石，但利弊共存。基于原型的语言（如JavaScript）易受原型污染漏洞攻击，攻击者可通过注入任意属性至对象原型中，进而利用这些注入属性执行本应无害的代码片段（即所谓的"构件"）实施安全敏感操作。攻击成功与否很大程度上取决于构件的存在，这可能导致提权和任意代码执行（ACE）等高危漏洞利用。本文提出Dasty——首个半自动化流水线，旨在帮助开发者在应用程序的软件供应链中识别构件。Dasty面向服务端Node.js应用，依托于动态AST级插桩技术实现的增强型动态污点分析。此外，Dasty支持在IDE中可视化代码流，从而便于后续人工分析以构建概念验证漏洞利用程序。为展示构件的危险性，我们使用Dasty对最依赖的NPM包开展研究，分析可导致ACE的构件存在情况。Dasty识别出1269个服务端包，其中631个包含可能触及危险汇点的代码流。经过人工优先级排序与验证，我们为49个NPM包（包括ejs、nodemailer和workerpool等流行包）构建了概念验证漏洞利用程序。为探究Dasty与现有工具的集成能力以实现端到端漏洞利用发现，我们深度分析了一个流行数据可视化仪表盘，最终发现导致远程代码执行的高危漏洞CVE-2023-31415。本研究成果首次系统性地揭示了服务端构件的危险性，呼吁开展进一步研究解决该问题。