# Client-side prototype pollution

## What is it?

Client-side Prototype Pollution is an attack that occurs when an attacker is able to manipulate the prototype of a JavaScript object. This can lead to unexpected behavior in the application, and sometimes lead to bypassing of security measures and Remote Code Execution.

**A simple example**

Consider this vulnerable JavaScript function:

```javascript
function extend(target, source) {
  for (let key in source) {
    target[key] = source[key];
  }
}
```

If an we can control the `source` object and sets `source.__proto__.isAdmin = true`, then this will set `isAdmin = true` on all objects that inherit from `Object`, potentially leading to an escalation of privileges.

Note that payload or attack depends on the application and the structure of the code. Client-side Prototype Pollution can often lead to:

* Privilege escalation
* Security measures bypass
* Data manipulation
* Remote code execution

**Other learning resources:**

*

**Writeups:**

*

## Checklist

* [ ] Understand the JavaScript environment&#x20;
  * [ ] What libraries or frameworks are being used&#x20;
  * [ ] How does the application handle user input&#x20;
  * [ ] How does the application manipulate objects and their prototypes&#x20;
* [ ] Identify potential points of attack&#x20;
  * [ ] User-supplied input that is directly used as an object&#x20;
  * [ ] Functions that iterate over properties of user-supplied objects&#x20;
  * [ ] Functions that use the Object or Function constructors with user input&#x20;
* [ ] Test the prototype&#x20;
  * [ ] Can you add a new property to the prototype?&#x20;
  * [ ] Can you modify an existing property on the prototype?&#x20;
  * [ ] Can you delete a property from the prototype?&#x20;
* [ ] Test for privilege escalation&#x20;
  * [ ] Add a new user privilege to the prototype&#x20;
  * [ ] Modify an existing user privilege on the prototype&#x20;
  * [ ] Delete a user privilege from the prototype&#x20;
* [ ] Test for security measures bypass&#x20;
  * [ ] Add a new security property to the prototype&#x20;
  * [ ] Modify an existing security property on the prototype&#x20;
  * [ ] Delete a security property from the prototype&#x20;
* [ ] Is it actually exploitable?
  * [ ] Is there a blocklist?&#x20;
  * [ ] Can you bypass the blocklist?&#x20;
  * [ ] Test for insecure direct object references&#x20;
  * [ ] Test for remote code execution
* [ ] Test for patches
  * [ ] How does the application behave with patched libraries like Lodash, JQuery, etc.?
  * [ ] Is the patch effective or can it be bypassed?

## Exploitation

```javascript
// Add new property
payload = '{"__proto__":{"polluted":"pwned"}}'

// Modify an existing property
payload = '{"__proto__":{"existingProperty":"new value"}}'

// Delete a property
payload = '{"__proto__":{"existingProperty":null}}'

// Adding user privilege
payload = '{"__proto__":{"isAdmin":true}}'

// Bypassing security measures
payload = '{"__proto__":{"validateInput":false}}'
```