Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Reclaim Protocol>Informational findings>Session check bypass via JavaScript prototype
GeneralOverview
Findings
Critical (4)
High (2)
Medium (5)
Low (6)
Informational (2)Session check bypass via JavaScript prototypeUnimplemented TLS responses
DiscussionSpoofing risk via website data format instabilitySpoofing risk via insecure contains/RegEx checksSensitive data exposure riskUser-phishing riskLack of `postMessage` origin validationProxy/scraping service usageNode centralization risk
Audit ResultsSummary
Category: Coding Mistakes

Session check bypass via JavaScript prototype

Informational Severity
Informational Impact
N/A Likelihood

Description

The node session check can be bypassed if the ID is set to a key that exists natively in JavaScript objects, such as __proto__ or toString.

This issue occurs in tls-receipt-verifier/node/src/sessions/assert-session.ts:

export function getSession(id: string) { // id is user's input
	return storage[id]
}

export function assertSession(id: string) { // id is user's input
	const session = getSession(id)
	if(!session) {
		throw new ServerError(Status.NOT_FOUND, `session "${id}" not found`)
	}

	return session
}

Impact

If features like session ID--based login sessions are later implemented, they may be able to be bypassed.

Recommendations

The session ID's format should be validated in getSession and assertSession. Alternatively, the value may be checked using hasOwnProperty().

Remediation

CreatorOS Inc provided the following response:

The session is an opaque string right now, and will continue to be. So, even if it's overridden -- it doesn't compromise anything.

Zellic © 2025Back to top ↑