Prototype Pollution: A Dangerous Vulnerability

what is prototype pollution

Prototype pollution is a JavaScript vulnerability that enables attackers to inject malicious payloads into existing JavaScript construct prototypes, compromising the application. This vulnerability allows attackers to modify the prototype of an object, thereby affecting all objects derived from it. By polluting the prototype, attackers can manipulate the behaviour of JavaScript programs, introducing malicious properties or methods that impact all objects in the prototype chain. Prototype pollution can lead to unauthorized access to data, privilege escalation, remote code execution, and denial of service attacks. It is a critical issue that requires attention to prevent potential security breaches and protect the integrity of JavaScript applications.

Characteristics Values
Type JavaScript vulnerability
Affected JavaScript runtimes
Impact Control of default values of an object's properties, tampering with application logic, denial of service, remote code execution
Attack vector Injection of properties into existing JavaScript construct prototypes
Common sources URL, user input
Preventative measures Freeze prototypes, use Object.create(null) API, use Object.freeze() and Object.seal() APIs

shunwaste

Prototype pollution is a JavaScript vulnerability

Every JavaScript object has the __proto__ attribute, and every object inherits prototypes. Whenever a prototype is added, it is inherited by all objects in the prototype chain. This means that a malicious player could inject properties into existing JavaScript code to trigger a JavaScript exception, causing denial of service, remote code execution, or other severe consequences.

A prototype pollution attack often involves a hacker sending a malicious payload to the backend server, which is then merged with a backend object. This can be prevented by sanitizing untrusted input when recursively setting nested properties. Developers can also use new Set() or new Map() instead of using object literals, and create objects using the Object.create(null) API to ensure they don't inherit from the Object prototype.

In addition, developers can use the Object.freeze and Object.seal() APIs to prevent built-in prototypes from being modified, although this can break the application if the libraries they use modify the built-in prototypes. They can also use tools like the Server-Side Prototype Pollution Scanner extension for Burp Suite to automate the process of probing for sources of prototype pollution.

shunwaste

Attackers can control default values of an object's properties

Prototype pollution is a vulnerability that enables threat actors to exploit JavaScript runtimes. It is a type of injection attack that allows attackers to manipulate the default values of an object's properties. This means that attackers can tamper with the logic of the application, potentially leading to denial of service or, in extreme cases, remote code execution.

In JavaScript, prototypes facilitate inheritance, and an attacker can exploit this to modify shared properties or inject malicious behaviour across objects. For example, an attacker can manipulate the "__proto__" attribute by adding a new prototype to it. Since every JavaScript object has the "__proto__" attribute and inherits prototypes, when a new prototype is added, it is inherited by all objects in the prototype chain. This allows a malicious player to inject properties into existing JavaScript code, compromising the application.

A prototype pollution attack typically involves threat actors injecting a payload into an input, such as a URL, that builds the client-side logic or application rendering. For instance, a URL parser can assign JavaScript objects properties without verifying if the target property is linked correctly to the object prototype. This can result in cross-site scripting (XSS) attacks, where threat actors trigger client-side JavaScript code execution.

Server-side exploitation occurs when threat actors exploit prototype pollution vulnerabilities to modify the object prototype's properties using gadgets located in the application context. This can lead to more severe consequences than client-side attacks, including remote code execution (RCE), SQL injection (SQLi), and authorization and authentication bypass.

Mitigating prototype pollution attacks can be challenging. Proper sanitization of user input is essential, and it is recommended to use a battle-tested library for this purpose. Additionally, when creating new objects, consider using the "`Object.create()` method" instead of the object literal or the object constructor to directly set the prototype of the created object.

What Makes a Pollutant: Ordinary or Not?

You may want to see also

shunwaste

Prototype pollution can lead to denial of service

Prototype pollution is a critical vulnerability that can allow attackers to manipulate an application's JavaScript objects and properties, leading to serious security issues such as unauthorized access to data, privilege escalation, and remote code execution. It is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects. This can allow attackers to control the default values of an object's properties, thereby tampering with the logic of the application.

JavaScript objects inherit properties and behaviours from a prototype. Each object has a prototype, and if a property or method is not found on the object itself, JavaScript looks for it in its prototype, and then recursively up the prototype chain until it reaches the top-level Object.prototype. This is referred to as a prototype chain.

By exploiting prototype pollution, attackers can inject properties into existing JavaScript construct prototypes, compromising the application. This is possible when an attacker manipulates the '__proto__' attribute, usually by adding a new prototype to it. As every JavaScript object now has the '__proto__' attribute, whenever a prototype is added, it is inherited by all objects in the prototype chain. This means a malicious player could inject properties into existing JavaScript code to trigger a JavaScript exception, causing a denial of service.

A prototype pollution attack can be carried out by sending a malicious payload to the backend server, which is then merged with a backend object. This payload is injected into an input, like a URL, that builds the client-side logic or application rendering. For example, a URL parser can assign JavaScript objects properties without verifying if the target property is linked correctly to the Object prototype.

To prevent prototype pollution, developers can use new Set() or new Map() instead of using object literals. They can also use the Object.freeze() and Object.seal() APIs to prevent built-in prototypes from being modified. Additionally, tools like the Server-Side Prototype Pollution Scanner extension for Burp Suite can help automate the process of identifying prototype pollution sources.

shunwaste

It can also result in remote code execution

Prototype pollution is a vulnerability that enables threat actors to exploit JavaScript runtimes. In a prototype pollution attack, threat actors inject properties into existing JavaScript construct prototypes, compromising the application. This vulnerability allows threat actors to inject values that overwrite or pollute the "prototype" of a base object. This malicious prototype can be passed to many other objects that inherit that prototype. Once threat actors can control the default values of the object's properties, they can tamper with the application's logic. This can lead to denial of service (DoS) or remote code execution (RCE).

Remote code execution is when an attacker executes malicious code in a target's system, allowing them to take control of the affected system remotely. Prototype pollution can lead to remote code execution because it allows attackers to inject malicious code into the prototype, which is then inherited by all objects in the prototype chain. This means that any object derived from the prototype will contain the malicious code, which can be executed remotely by the attacker.

In JavaScript, objects inherit properties and behaviours from a prototype. Each object has a prototype, and if a property or method is not found on the object itself, JavaScript looks for it in its prototype and then recursively up the prototype chain until it finds it. By modifying the prototype of a commonly used object, attackers can introduce malicious properties or methods that affect all objects derived from that prototype. This allows them to manipulate the behaviour of JavaScript programs and execute arbitrary code.

To achieve remote code execution, attackers can inject a payload into an input, such as a URL, that builds the client-side logic or application rendering. For example, a URL parser can assign JavaScript objects properties without verifying if the target property is linked correctly to the Object prototype. This can lead to client-side exploitation of the prototype pollution vulnerability, allowing attackers to trigger client-side JavaScript code execution.

Server-side exploitation occurs when attackers exploit prototype pollution vulnerabilities to modify the Object prototype's properties using gadgets located in the application context. This can result in remote code execution, as the malicious code is executed on the server. It's important to note that prototype pollution is often unexploitable as a standalone vulnerability, but it can be chained with other vulnerabilities to achieve remote code execution.

shunwaste

Prototype pollution sources and sinks

Prototype pollution is a JavaScript vulnerability that allows attackers to inject properties into existing JavaScript construct prototypes, compromising the application. This vulnerability lets attackers inject values that overwrite or pollute the "prototype" of a base object, which can then be inherited by other objects. This can lead to denial of service (DoS) or remote code execution (RCE).

A prototype pollution source is any user-controllable input that enables the poisoning of prototype objects with arbitrary properties. The most common sources are the URL via either the query or fragment string (hash). For example, a URL parser can assign JavaScript objects properties without verifying if the target property is linked correctly to the Object prototype.

A sink is a JavaScript function or DOM element that enables arbitrary code execution. An example of a sink is the toString() function, where all objects inherit from this new function. By polluting the prototype, attackers can manipulate the behaviour of JavaScript programs in unintended ways, such as adding or overwriting methods or properties to perform actions like data theft, code execution, or denial of service attacks.

An exploitable gadget is any property that is passed into a sink without proper filtering or sanitization. A gadget is attacker-controllable via prototype pollution, allowing them to inherit a malicious version of the property added to the prototype.

To prevent prototype pollution, developers can freeze the default prototype using Object.freeze(Object.prototype) to stop it from being polluted. They can also use tools like the Burp extension, DOM Invader, to automatically identify client-side prototype pollution by finding the source and sink.

Plastic Pollution: Killing Coral Reefs

You may want to see also

Frequently asked questions

Written by
Reviewed by

Explore related products

Share this post
Print
Did this article help you?

Leave a comment