Client-side prototype pollution

What is it?

Client-side Prototype Pollution is an attack that occurs when an attacker is able to manipulate the prototype of a JavaScript object. This can lead to unexpected behavior in the application, and sometimes lead to bypassing of security measures and Remote Code Execution.

A simple example

Consider this vulnerable JavaScript function:

function extend(target, source) {
  for (let key in source) {
    target[key] = source[key];
  }
}

If an we can control the source object and sets source.__proto__.isAdmin = true, then this will set isAdmin = true on all objects that inherit from Object, potentially leading to an escalation of privileges.

Note that payload or attack depends on the application and the structure of the code. Client-side Prototype Pollution can often lead to:

• Privilege escalation

• Security measures bypass

• Data manipulation

• Remote code execution

Other learning resources:

Writeups:

Checklist

• Understand the JavaScript environment

  • What libraries or frameworks are being used

  • How does the application handle user input

  • How does the application manipulate objects and their prototypes

• Identify potential points of attack

  • User-supplied input that is directly used as an object

  • Functions that iterate over properties of user-supplied objects

  • Functions that use the Object or Function constructors with user input

• Test the prototype

  • Can you add a new property to the prototype?

  • Can you modify an existing property on the prototype?

  • Can you delete a property from the prototype?

• Test for privilege escalation

  • Add a new user privilege to the prototype

  • Modify an existing user privilege on the prototype

  • Delete a user privilege from the prototype

• Test for security measures bypass

  • Add a new security property to the prototype

  • Modify an existing security property on the prototype

  • Delete a security property from the prototype

• Is it actually exploitable?

  • Is there a blocklist?

  • Can you bypass the blocklist?

  • Test for insecure direct object references

  • Test for remote code execution

• Test for patches

  • How does the application behave with patched libraries like Lodash, JQuery, etc.?

  • Is the patch effective or can it be bypassed?

Exploitation

// Add new property
payload = '{"__proto__":{"polluted":"pwned"}}'

// Modify an existing property
payload = '{"__proto__":{"existingProperty":"new value"}}'

// Delete a property
payload = '{"__proto__":{"existingProperty":null}}'

// Adding user privilege
payload = '{"__proto__":{"isAdmin":true}}'

// Bypassing security measures
payload = '{"__proto__":{"validateInput":false}}'