“Finding versions of the jQuery vulnerability for this exploit is not a hard task, but automating an actual exploitation for custom code that makes use of jQuery’s vulnerable API with regards to the prototype pollution would be more difficult. Exploiting server-side closed source code, which is not easy to access for investigation, does require a fair bit of research to find out how polluting a global object scope would affect an application, if prototype pollution is applicable at all in such cases,” added Tal.
The obligation falls on web developers, as they need to stop using old versions of jQuery. Just like any other software, jQuery developers continue to issue patches in order to plug security holes that attackers used to penetrate an otherwise secure website. For the pollution attack, jQuery developers even went out of their way to issue backport patch for old version of jQuery library. This is to cover all websites that are using even an old version of jQuery, even version 1.0 that is considered as ancient in the case of any web development-related software.
For those that cannot apply the patches for one reason or another, the jQuery team also provided the following mitigation strategies in order to prevent 3rd parties to exploit the bug: (Direct quote from Snyk.io)
- Ensure you are using safe recursive merge implementations.
- Consider creating objects without a prototype, such as Object.create(null) to avoid them being susceptible to prototype pollution attacks.
- Avoid using square bracket notation when working with user-controlled data, and at all if possible. Consider using the Map language primitive for map-based structures.