Tariq Hawis tariqhawis

🎯

Focusing

Security Researcher.

10 followers · 3 following

Montreal
https://www.tariqhawis.com

View GitHub Profile

Recently created

Least recently created

Recently updated

Least recently updated

tariqhawis / aliconnect-sdk.md

Last active March 22, 2024 19:47

Prototype Pollution Affecting @aliconnect/sdk package

Affected versions of this package are vulnerable to Prototype Pollution via the sdk function due to missing check if the attribute resolves to the object prototype.

To exploit vulnerability, someone may inject a malicious object from a user controllable input to aim function in aim.js. The input resolves to the object prototype thus modify the behavior of the program.

Poc:

var sdk = require("@aliconnect/sdk")
BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');

tariqhawis / uplot-pp.md

Last active August 6, 2024 17:19

Prototype Pollution Affecting uPlot package, all versions

Overview

μPlot is a fast, memory-efficient Canvas 2D-based chart for plotting time series, lines, areas, ohlc & bars;

Affected versions of this package are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

Details

The module is vulenrable via assign function, the assignment of the property from source to destination occurred without proper validation of the user's input.

tariqhawis / keybase.md

Created December 14, 2020 14:27

Keybase proof

I hereby claim:

I am tariqhawis on github.
I am tariqhawis (https://keybase.io/tariqhawis) on keybase.
I have a public key whose fingerprint is CBF9 4F73 C829 2458 F071 704D 2781 6E61 A18F AF65

To claim this, I am signing this object:

NewerOlder