# Client-side prototype pollution ## What is it? Client-side Prototype Pollution is an attack that occurs when an attacker is able to manipulate the prototype of a JavaScript object. This can lead to unexpected behavior in the application, and sometimes lead to bypassing of security measures and Remote Code Execution. **A simple example** Consider this vulnerable JavaScript function: ```javascript function extend(target, source) { for (let key in source) { target[key] = source[key]; } } ``` If an we can control the `source` object and sets `source.__proto__.isAdmin = true`, then this will set `isAdmin = true` on all objects that inherit from `Object`, potentially leading to an escalation of privileges. Note that payload or attack depends on the application and the structure of the code. Client-side Prototype Pollution can often lead to: * Privilege escalation * Security measures bypass * Data manipulation * Remote code execution **Other learning resources:** * **Writeups:** * ## Checklist * [ ] Understand the JavaScript environment * [ ] What libraries or frameworks are being used * [ ] How does the application handle user input * [ ] How does the application manipulate objects and their prototypes * [ ] Identify potential points of attack * [ ] User-supplied input that is directly used as an object * [ ] Functions that iterate over properties of user-supplied objects * [ ] Functions that use the Object or Function constructors with user input * [ ] Test the prototype * [ ] Can you add a new property to the prototype? * [ ] Can you modify an existing property on the prototype? * [ ] Can you delete a property from the prototype? * [ ] Test for privilege escalation * [ ] Add a new user privilege to the prototype * [ ] Modify an existing user privilege on the prototype * [ ] Delete a user privilege from the prototype * [ ] Test for security measures bypass * [ ] Add a new security property to the prototype * [ ] Modify an existing security property on the prototype * [ ] Delete a security property from the prototype * [ ] Is it actually exploitable? * [ ] Is there a blocklist? * [ ] Can you bypass the blocklist? * [ ] Test for insecure direct object references * [ ] Test for remote code execution * [ ] Test for patches * [ ] How does the application behave with patched libraries like Lodash, JQuery, etc.? * [ ] Is the patch effective or can it be bypassed? ## Exploitation ```javascript // Add new property payload = '{"__proto__":{"polluted":"pwned"}}' // Modify an existing property payload = '{"__proto__":{"existingProperty":"new value"}}' // Delete a property payload = '{"__proto__":{"existingProperty":null}}' // Adding user privilege payload = '{"__proto__":{"isAdmin":true}}' // Bypassing security measures payload = '{"__proto__":{"validateInput":false}}' ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.