Prototype Pollution is a vulnerability which affects applications written with JavaScript programming language. JavaScript is a prototype-based language. To provide inheritance, an object can have a prototype object, which acts as a template object that it inherits methods and properties from. An object's prototype object may also have a prototype object, which it inherits methods and properties from, and so on. This is often referred to as a prototype chain.
A link is made between the object instance and its prototype ( __proto__ property, which contains basic functionalities such as toString, constructor and hasOwnProperty), and the properties and methods are found by walking up the chain of prototypes.
An attacker can change the prototype object of the basic object, so it applies to all JavaScript objects in a running application. A malicious code can be provided through user input in web applications via text fields, headers and files.
Impact
This vulnerability may lead to:
Denial of service by triggering JavaScript exceptions
Remote code execution by forcing the code path that the attacker injects
The issue can be found in the source code on the server side.
The issue can be found in the source code on the client side.
Remedy suggestions
Add __proto__to the blacklist and do not copy this field.
Freeze Object.prototype using the Object.freeze() function. After that, the Object.prototype cannot be modified.
You can use an object without a prototype object, then modifying the prototype will not be possible:Object.create(null). But the disadvantage is that this object can break some functionality further. For example, someone might want to call toString() on this object.
Use the latest versions of your JavaScript libraries and update them periodically.