Prototype Pollution
Test name: Prototype Pollution
Test ID: proto_pollution
Summary |
---|
Prototype Pollution is a vulnerability which affects applications written with JavaScript programming language. JavaScript is a prototype-based language. To provide inheritance, an object can have a prototype object, which acts as a template object that it inherits methods and properties from. An object's prototype object may also have a prototype object, which it inherits methods and properties from, and so on. This is often referred to as a prototype chain.
A link is made between the object instance and its prototype ( __proto__
property, which contains basic functionalities such as toString
, constructor and hasOwnProperty
), and the properties and methods are found by walking up the chain of prototypes.
An attacker can change the prototype object of the basic object, so it applies to all JavaScript objects in a running application. A malicious code can be provided through user input in web applications via text fields, headers and files.
Impact |
---|
This vulnerability may lead to:
- Denial of service by triggering JavaScript exceptions
- Remote code execution by forcing the code path that the attacker injects
- Escalating to Reflected XSS
Example |
---|
Changing the basic method toString
:
>let user = {name: "Pascal", age: "55"}
>console.log(customer.toString())
// shows: [object Object]
>user.__proto__.toString = ()=>{alert("vulnerability")}
// alert box pops up: "vulnerability"
Location |
---|
- The issue can be found in the source code on the server side.
- The issue can be found in the source code on the client side.
Remedy suggestions |
---|
- Add
__proto__
to the blacklist and do not copy this field. - Freeze
Object.prototype
using theObject.freeze()
function. After that, theObject.prototype
cannot be modified. - You can use an object without a prototype object, then modifying the prototype will not be possible:
Object.create(null)
. But the disadvantage is that this object can break some functionality further. For example, someone might want to calltoString()
on this object. - Use the latest versions of your JavaScript libraries and update them periodically.
Classification |
---|
- CWE-1321
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
References |
---|
Updated 5 months ago