Prototype Pollution

Affects Node.js

Prototype pollution happens at some unsafe merge, clone, extend and path assignment operations on malicious JSON objects.

This is exploitable only if any of the following three happens:
- Object recursive merge
- Property definition by path
- Object clone
Some of the most popular libraries being affected are lodash and Hoek
Templates are a good target for prototype pollution.

The most straightforward example of prototype pollution involves injecting the __proto__ property, which affects all objects that inherit from Object.prototype.
This example adds the isUserAdmin property to the prototype chain:

{
  "__proto__": {
    "isUserAdmin": true
  }
}

Also, you can directly manipulate the Object.prototype by modifying the __proto__ property. This could be done in objects passed to vulnerable code:

{
  "__proto__": {
    "toString": "malicious code"
  }
}

{
  "a.b.__proto__.isHacked": true
}

The constructor property is part of the prototype chain for JavaScript objects:

{
  "__proto__.constructor": "MaliciousFunction"
}

The hasOwnProperty method is often used to check if an object has a property, but it can be overridden in the prototype:

{
  "__proto__.hasOwnProperty": false
}

If an attacker can manipulate built-in objects' prototypes (like Array.prototype or Function.prototype), they could affect the behavior of all instances of those types:

{
  "__proto__.length": 1000
}

If the application uses a templating engine and allows user input to be rendered without sanitization, an attacker might inject a prototype pollution payload directly via the template:

{
  "__proto__": {
    "isAdmin": true
  }
}

You can directly inject properties into the prototype of custom classes or objects:

{
  "customObjectPrototype.isHacked": true
}

Last updated 5 months ago

Affects Node.js

Prototype pollution happens at some unsafe merge, clone, extend and path assignment operations on malicious JSON objects.

This is exploitable only if any of the following three happens:
- Object recursive merge
- Property definition by path
- Object clone
Some of the most popular libraries being affected are lodash and Hoek
Templates are a good target for prototype pollution.

The most straightforward example of prototype pollution involves injecting the __proto__ property, which affects all objects that inherit from Object.prototype.
This example adds the isUserAdmin property to the prototype chain:

{
  "__proto__": {
    "isUserAdmin": true
  }
}

Also, you can directly manipulate the Object.prototype by modifying the __proto__ property. This could be done in objects passed to vulnerable code:

{
  "__proto__": {
    "toString": "malicious code"
  }
}

{
  "a.b.__proto__.isHacked": true
}

The constructor property is part of the prototype chain for JavaScript objects:

{
  "__proto__.constructor": "MaliciousFunction"
}

The hasOwnProperty method is often used to check if an object has a property, but it can be overridden in the prototype:

{
  "__proto__.hasOwnProperty": false
}

If an attacker can manipulate built-in objects' prototypes (like Array.prototype or Function.prototype), they could affect the behavior of all instances of those types:

{
  "__proto__.length": 1000
}

If the application uses a templating engine and allows user input to be rendered without sanitization, an attacker might inject a prototype pollution payload directly via the template:

{
  "__proto__": {
    "isAdmin": true
  }
}

You can directly inject properties into the prototype of custom classes or objects:

{
  "customObjectPrototype.isHacked": true
}

Last updated 5 months ago