A few technical questions about the source code
gogo9th opened this issue · 4 comments
Hi,
Thanks a lot for open-sourcing such a great tool. I have looked into the source code and have a few questions. I would really appreciate it if you could answer them.
Q1.
In ODG, what is the role of the attribute "pythonfunc"? These are defined in src/plugins/internal/modeled_js_builtins.py as like string_p_reverse(). I think these Python functions model the logic of the target JavaScript native functions. If this is so, what is the purpose of modeling them?
Q2.
I run the following command:
$ python ./odgen.py hello.js -m -a -q --export hello -t os_command
If the file "hello.js" is as follows:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
module.exports = {exploit};
Then I get the following successful output:
|Checker| success: [['18', '37', '44', '51']] color: green
Attack Path:
==========================
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 3 function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 4 var inner = string + "123";
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 5 var link = inner + "123";
$FilePath$/home/skyer/Desktop/ODGen-master/hello.js
Line 6 eval(link);
However, if the file "hello.js" is as follows (module.exports is replaced by export):
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
module.exports = {exploit};
Then I get the following problematic output:
os_command not detected. Have you tried the "-ma" argument?
If it's a Node.js package, you can also try the '--nodejs -a' argument.
Is this because the usage of "import" and "export" is currently not supported by ODGen? If so, in order to add the support for this, which function am I supposed to modify?
[???]
If I run the analysis on a (non-module) regular NodeJS file such as the following:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
exploit(1,2,3);
What should be the command?
Hi,
Thank you for being interested in our project. I answered the questions inline, please take a look.
Q1,
"pythonfunc" is used to use python to model the behavior of JavaScript libraries. With the help of pythonfunc, we can simulate the functionalities of built-in packages such as "string.reverse", "array.forEach".
Q2,
I do not see the difference between the two examples. Could you please help me to mark the difference? We do support "export" and can support "import" by babel. You can check out the "--babel" command and have a try.
As for the non-module NodeJS file, since for normal JavaScript files, we do not know which variable is the user input or the tainted variable, we can not set the taint marker. For example, in the example you provide to us, we do not know which function to detect and which argument is the user input. Thus to analyze such NodeJS files, one needs to export functions and let us know which function is treated as user-accessible and should be treated as the start point of the analyzing process.
Thanks very much for your kind reply.
Regarding Q2, I apologize for my typo. I actually meant this source code:
function exploit(string, input, val){
var inner = string + "123";
var link = inner + "123";
eval(link);
}
export exploit;
And I get this output:
os_command not detected. Have you tried the "-ma" argument?
If it's a Node.js package, you can also try the '--nodejs -a' argument.
You said using --babel will solve the problem, but --babel will transpile the ES6+ code to ES5, so the final code won't have the "export" and "import' keywords, right?
Q3. Today I happened to find this source code: https://github.com/Song-Li/ObjLupAnsys/tree/main/src. I think ODGen generates exactly the same object dependency graph as ObjLupAnsys does, and ODGen's extra feature is additional ways of analyzing the object dependency graph to identify other types of attacks besides the property pollution attack. So, ObjLupAnsys does not have any new new functionality that does not exist in ODGen. Is this correct?
Q2, the answer is YES. After using babel, the converted code should not include "import" and "export".
Q3, Both ObjLupAnsys and ODGen generate ODG, but they use the generated graph in different ways. The difference is ObjLupAnsys uses real-time Object Lookup Analysis to detect prototype pollution vulnerability, and ODGen uses graph query to do so. At the same time, by graph query, ODGen can also detect other vulnerabilities such as command injection, path traversal, and XSS.
At the same time, we found that for the prototype pollution vulnerability, the performance of real-time detection is better than graph query. So in the latest ODGen project, we migrate the ObjLupAnsys approach to detect prototype pollution vulnerability. For other vulnerabilities, ODGen still uses graph queries.
Got it, thanks very much for all clarifications!