Prototype Pollution: Javascript's Hidden Danger

what is prototype pollution in javascript

Prototype pollution is a critical vulnerability that can occur in JavaScript environments. It is an injection attack that allows attackers to modify the prototype of an object, affecting all objects derived from it. This can lead to serious security issues such as unauthorized access to data, privilege escalation, and remote code execution. Prototype pollution vulnerabilities have been found in popular JavaScript libraries, including jQuery, lodash, express, and minimist. These vulnerabilities can be exploited on both the server and client sides, making it crucial to understand and address them. By polluting the prototype, attackers can manipulate the behaviour of JavaScript programs and inject malicious properties or methods.

Characteristics Values
Type of vulnerability Injection attack
Target JavaScript runtimes
Attacker capabilities Control default values of an object's properties, manipulate application logic, data theft, unauthorized access to data, privilege escalation, denial of service, remote code execution
Affected libraries jQuery, lodash, express, minimist, hoek, node-forge
Defence strategies Use new Set() or new Map() instead of object literals, use Object.create(null) to prevent inheritance from Object prototype, use Object.freeze() and Object.seal() to prevent prototype modification, remove proto property, update dependencies, strictly control parameters

Explore related products

JavaScript: The Definitive Guide: Master the World's Most-Used Programming Language
JavaScript: The Definitive Guide: Master the World's Most-Used Programming Language

$34.3 $79.99

JavaScript Security
JavaScript Security

$10.04 $16.99

JavaScript for hackers: Learn to think like a hacker
JavaScript for hackers: Learn to think like a hacker

$40 $20

Black Hat JavaScript: Advanced Client-Side Exploitation, Reverse Engineering, and Penetration Testing Techniques for Web Hackers
Black Hat JavaScript: Advanced Client-Side Exploitation, Reverse Engineering, and Penetration Testing Techniques for Web Hackers

$7.99 $28.99

JavaScript Security Essentials: Secure Coding Practices for Front-End and Back-End
JavaScript Security Essentials: Secure Coding Practices for Front-End and Back-End

$2.99 $18.99

Security for Web Developers: Using JavaScript, HTML, and CSS
Security for Web Developers: Using JavaScript, HTML, and CSS

$39.11 $42.99

What You'll Learn

shunwaste

Prototype pollution is an injection attack that targets JavaScript runtimes

In JavaScript, objects inherit properties and behaviors from a prototype. Each object has a prototype, and if a property or method is not found on the object itself, JavaScript looks for it in its prototype and then moves up the prototype chain until it finds the property or reaches the top-level Object.prototype. Prototype pollution occurs when an attacker modifies the prototype of a commonly used object, such as Object.prototype or Array.prototype. By polluting the prototype, attackers can introduce malicious properties or methods that affect all objects derived from that prototype.

For example, an attacker can set a property to "__proto__" and add a malicious property with a specific name. This will define the property on all existing objects of the same class in the application, allowing the attacker to control the default values of an object's properties. Successful exploitation of prototype pollution requires a prototype pollution source, which is any input that enables the poisoning of prototype objects with arbitrary properties. A sink, or a JavaScript function that enables arbitrary code execution, is also necessary for a successful attack.

To prevent prototype pollution, developers can use new Set() or new Map() instead of object literals. If objects must be used, they should be created using the Object.create(null) API to ensure they don't inherit from the Object prototype. Additionally, the Object.freeze() and Object.seal() APIs can be used to prevent built-in prototypes from being modified. Removing the "__proto__" property can also help reduce the attack surface and prevent certain prototype pollution attacks.

Boeing's Toxic Legacy in the Duwamish River

You may want to see also

Explore related products

Full Stack JavaScript Strategies: The Hidden Parts Every Mid-Level Developer Needs to Know
Full Stack JavaScript Strategies: The Hidden Parts Every Mid-Level Developer Needs to Know

$52.98 $65.99

JavaScript Pocket Reference: Activate Your Web Pages (Pocket Reference (O'Reilly))
JavaScript Pocket Reference: Activate Your Web Pages (Pocket Reference (O'Reilly))

$16.23 $24.99

Mastering Advanced JavaScript Design Patterns and Practices: Unlock the Secrets of Expert-Level Skills
Mastering Advanced JavaScript Design Patterns and Practices: Unlock the Secrets of Expert-Level Skills

$9.99 $39.99

Essential Cryptography for JavaScript Developers: A practical guide to leveraging common cryptographic operations in Node.js and the browser
Essential Cryptography for JavaScript Developers: A practical guide to leveraging common cryptographic operations in Node.js and the browser

$29.99 $38.99

Essential PHP Security
Essential PHP Security

$13.02 $29.95

JavaScript Exploited: Cutting-Edge Exploitation and Security Testing Techniques for Modern Web Applications
JavaScript Exploited: Cutting-Edge Exploitation and Security Testing Techniques for Modern Web Applications

$7.99 $27.99

shunwaste

Attackers can modify the prototype of an object, affecting all derived objects

Prototype pollution is a critical vulnerability that can occur in JavaScript environments. It allows attackers to modify the prototype of an object, which then affects all objects derived from that prototype. This can have serious consequences, including unauthorized access to data, privilege escalation, and remote code execution.

In JavaScript, objects inherit properties and behaviours from a prototype. Each object has a prototype, and if a property or method is not found on the object itself, JavaScript looks for it in its prototype and then moves up the prototype chain until it reaches the top-level Object.prototype. Attackers can exploit this by modifying the prototype of a commonly used object, such as Object.prototype or Array.prototype. By doing so, they can introduce malicious properties or methods that will affect all objects derived from that prototype.

For example, an attacker can use a technique to pollute the prototype with properties that are used by the application or any imported libraries. They can inject a property with a key like "__proto__" along with arbitrary nested properties. Due to the special meaning of "__proto__" in JavaScript, the merge operation may assign these nested properties to the object's prototype instead of the target object itself. As a result, all objects in the JavaScript runtime will inherit this property unless they already have a property with a matching key.

To protect against prototype pollution, developers can use new Set() or new Map() instead of object literals. If objects must be used, they should be created using the Object.create(null) API to ensure they don't inherit from the Object prototype. Additionally, the Object.freeze() and Object.seal() APIs can be used to prevent built-in prototypes from being modified. It's also important to strictly control parameters and use a whitelist of expected values to prevent problems like massive assignments.

By understanding and addressing prototype pollution vulnerabilities, developers can ensure the security and integrity of their JavaScript applications.

Protect Your Eyes from Environmental Pollution

You may want to see also

Explore related products

120 Advanced JavaScript Interview Questions: Elevate your JavaScript Skills with 100+ Advanced JavaScript Interview Questions (Javascript MEGA bundle)
120 Advanced JavaScript Interview Questions: Elevate your JavaScript Skills with 100+ Advanced JavaScript Interview Questions (Javascript MEGA bundle)

$18.99

Third-Party JavaScript
Third-Party JavaScript

$34.99 $44.99

Trash Vortex: How Plastic Pollution Is Choking the World's Oceans (Captured Science History)
Trash Vortex: How Plastic Pollution Is Choking the World's Oceans (Captured Science History)

$6.52 $9.99

Types of Pollution: How Pollution Impacts the Earth and Simple Ways to Help, Air Pollution, Water Pollution, Soil Pollution, Noise Pollution, Light ... Radioactive Pollution, Plastic Pollution
Types of Pollution: How Pollution Impacts the Earth and Simple Ways to Help, Air Pollution, Water Pollution, Soil Pollution, Noise Pollution, Light ... Radioactive Pollution, Plastic Pollution

$15

Pollution and Conservation Workbook for Kids (Third Grade Science Workbooks)
Pollution and Conservation Workbook for Kids (Third Grade Science Workbooks)

$9.99

Pollution Is Colonialism
Pollution Is Colonialism

$24.28 $25.95

shunwaste

Attackers can control default values of an object's properties, tampering with application logic

Prototype pollution is a vulnerability that occurs in JavaScript environments, allowing attackers to modify the prototype of an object and thereby affect all objects derived from it. This is an injection attack that targets JavaScript runtimes, where an attacker can control the default values of an object's properties, allowing them to tamper with the logic of the application.

JavaScript objects inherit properties and behaviours from a prototype. If a property or method is not found on the object itself, JavaScript looks for it in its prototype and then moves up the prototype chain until it reaches the top-level Object.prototype. Attackers can modify commonly used objects, such as Object.prototype or Array.prototype, and introduce malicious properties or methods that affect all derived objects. This is known as "polluting the prototype".

By polluting the prototype, attackers can manipulate the behaviour of JavaScript programs. They can add or overwrite methods or properties to perform actions such as data theft, code execution, or denial of service attacks. For example, they might override the toString function with a meaningless value, causing the API to crash. Attackers can also leverage other components (gadgets) loaded in the same context to initiate complex attacks, escalate privileges, or gain access to sensitive information.

To prevent prototype pollution, developers can use new Set() or new Map() instead of object literals. If objects are necessary, they should be created using the Object.create(null) API to ensure they don't inherit from the Object prototype. Additionally, the Object.freeze() and Object.seal() APIs can prevent built-in prototypes from being modified, although this may break the application if the libraries modify the built-in prototypes. Schema validation can also help, ensuring that unneeded attributes are rejected.

Plastic Pollution: Disrupting the Balance of Nature

You may want to see also

Explore related products

Kids vs. Plastic: Ditch the straw and find the pollution solution to bottles, bags, and other single-use plastics
Kids vs. Plastic: Ditch the straw and find the pollution solution to bottles, bags, and other single-use plastics

$14.99

Pollution and the Death of Man
Pollution and the Death of Man

$17.89 $21.99

Water Wars: Privatization, Pollution, and Profit
Water Wars: Privatization, Pollution, and Profit

$19.48 $20.95

Spiritual Housecleaning: Protect Your Home and Family from Spiritual Pollution
Spiritual Housecleaning: Protect Your Home and Family from Spiritual Pollution

$13.44 $19

Pollution: Problems Made by Man - Nature Books for Kids Children's Nature Books
Pollution: Problems Made by Man - Nature Books for Kids Children's Nature Books

$21.99

Toxic Communities: Environmental Racism, Industrial Pollution, and Residential Mobility
Toxic Communities: Environmental Racism, Industrial Pollution, and Residential Mobility

$22.54 $28

shunwaste

Prototype pollution vulnerabilities can be exploited on both the server and client sides

Prototype pollution is an injection attack that targets JavaScript runtimes. It is a critical vulnerability that can allow attackers to manipulate an application's JavaScript objects and properties, leading to serious security issues. This vulnerability arises when a JavaScript function merges an object containing user-controllable properties with an existing object, without sanitizing the keys. This enables an attacker to inject a property with a key like "__proto__" and arbitrary nested properties. As a result, malicious properties or methods can be introduced, affecting all objects derived from that prototype.

JavaScript objects inherit properties and behaviours from a prototype. If a property or method is not found on the object itself, JavaScript searches for it in its prototype and then moves up the prototype chain until it reaches the top-level "Object.prototype". By exploiting this mechanism, attackers can modify the prototype of commonly used objects, such as "Object.prototype" or "Array.prototype", and manipulate the behaviour of JavaScript programs. This can lead to data theft, code execution, or denial of service attacks.

To protect against prototype pollution, developers can use new Set() or new Map() instead of object literals. If objects are necessary, the "Object.create(null)" API ensures they don't inherit from the Object prototype. Additionally, Object.freeze() and Object.seal() can prevent built-in prototypes from being modified. Robust websites can also set the prototype to null, preventing any inheritance of properties.

Mexico City's Pollution: Strategies for Improvement

You may want to see also

Explore related products

Developing You Stormwater Pollution Prevention Plan A Guide for Construction
Developing You Stormwater Pollution Prevention Plan A Guide for Construction

$15

Magic in a Drop of Water: How Ruth Patrick Taught the World about Water Pollution
Magic in a Drop of Water: How Ruth Patrick Taught the World about Water Pollution

$14.38 $19.99

Transforming Plastic: From Pollution to Evolution (Planet in Crisis)
Transforming Plastic: From Pollution to Evolution (Planet in Crisis)

$9.95

Oceans of Plastic: Understanding and Solving a Pollution Problem
Oceans of Plastic: Understanding and Solving a Pollution Problem

$22.99

The Whale Who Ate Plastic: Teaching Young Children About the Problem of Ocean Plastic Pollution and the Importance of Recycling (Children’s Environment Books, Recycling & Green Living Books)
The Whale Who Ate Plastic: Teaching Young Children About the Problem of Ocean Plastic Pollution and the Importance of Recycling (Children’s Environment Books, Recycling & Green Living Books)

$11.65

The Darkness Manifesto: On Light Pollution, Night Ecology, and the Ancient Rhythms that Sustain Life
The Darkness Manifesto: On Light Pollution, Night Ecology, and the Ancient Rhythms that Sustain Life

$15 $26

shunwaste

Libraries vulnerable to prototype pollution include jQuery, lodash, express, minimist, and hoek

Prototype pollution is a critical vulnerability that can allow attackers to manipulate a JavaScript application's objects and properties, thereby leading to serious security issues such as unauthorized access to data, privilege escalation, and even remote code execution. It is an injection attack that targets JavaScript runtimes, where an attacker can control the default values of an object's properties. By polluting the prototype, attackers can manipulate the behaviour of JavaScript programs in unintended ways, such as by adding or overwriting methods or properties to perform actions like data theft, code execution, or denial of service attacks.

To prevent prototype pollution, developers can use new Set() or new Map() instead of object literals. Objects should be created using the Object.create(null) API to ensure they don't inherit from the Object prototype. The Object.freeze() and Object.seal() APIs can also be used to prevent built-in prototypes from being modified. Schema validation can be used to ensure that JSON data contains all expected attributes with the appropriate types, and unneeded attributes should be rejected. Additionally, always sanitize untrusted input when recursively setting nested properties, and use libraries like Snyk Advisor to decide which libraries to trust.

Human Impact: Pollution and Our Responsibility

You may want to see also

Frequently asked questions

Written by
Reviewed by

Explore related products

Developing Your Stormwater Pollution Prevention Plan
Developing Your Stormwater Pollution Prevention Plan

$9.99 $15.75

Understanding Environmental Pollution
Understanding Environmental Pollution

$159.49 $178

Marine Pollution: What Everyone Needs to Know®
Marine Pollution: What Everyone Needs to Know®

$18.95

Climate Changed: The Science of Sustainability and How Each of Us Can Do Our Part
Climate Changed: The Science of Sustainability and How Each of Us Can Do Our Part

$25

The Quest for Environmental Justice: Human Rights and the Politics of Pollution
The Quest for Environmental Justice: Human Rights and the Politics of Pollution

$14 $18.95

Air Pollution Control: A Design Approach
Air Pollution Control: A Design Approach

$89.97 $112.46

Pollution Prevention Opportunity Assessments: A Handbook for Businesses
Pollution Prevention Opportunity Assessments: A Handbook for Businesses

$9.99

Let's Investigate Plastic Pollution: On Land and in the Oceans (Get Started with STEM)
Let's Investigate Plastic Pollution: On Land and in the Oceans (Get Started with STEM)

$9.99

ECO-GEAR Anti Pollution Face Mask with Military Grade Protection | Anti Smoke, Exhaust Gas, Dust & Pollen
ECO-GEAR Anti Pollution Face Mask with Military Grade Protection | Anti Smoke, Exhaust Gas, Dust & Pollen

$14.99

Adventures with Finn and Skip: Fish: A tale about ridding the ocean of plastic pollution
Adventures with Finn and Skip: Fish: A tale about ridding the ocean of plastic pollution

$14.99

ECO-GEAR Anti Pollution Face Mask with Military Grade Protection | Anti Smoke, Exhaust Gas, Dust & Pollen
ECO-GEAR Anti Pollution Face Mask with Military Grade Protection | Anti Smoke, Exhaust Gas, Dust & Pollen

$14.99

ECO-GEAR Anti Pollution Face Mask Particulate Respirator Protection | Anti Dust, Exhaust Gas, Smoke, Pollen and Fumes | Washable with 3 Filters Indoor and Outdoor
ECO-GEAR Anti Pollution Face Mask Particulate Respirator Protection | Anti Dust, Exhaust Gas, Smoke, Pollen and Fumes | Washable with 3 Filters Indoor and Outdoor

$6.99

Share this post
Print
Did this article help you?

Leave a comment