Prototype pollution allows an attacker to modify the prototype of an object. This means we can potentially assign new properties or methods to an object. Furthermore, we may be able to overwrite existing properties.
If you’re unfamiliar with prototypes and inheritance, let’s take a look at that first. Otherwise, if you’re familiar with the behavior of JavaScript, then feel free to skip ahead to the exploitation section.
Objects and Prototypes in JavaScript
Objects are groups of properties and methods, assigned with a name. For example, in the video we had a user object with two properties, name and age.
let user = {name: 'jeremy', age: 25}When we create an object like this (it’s called using literal syntax) in JavaScript, it has a prototype. A prototype is also an object, but it acts as a template for creating new objects. If you try to display the property of an object (e.g. user.dateOfBirth) that doesn’t exist, JavaScript will check for it in the object’s prototype.
This is handy because it allows us to set defaults for all objects of a certain type, and then overwrite them as needed on individual objects. For our user, we might want to set a property like isAdmin:False by default for all users, but then change that later on for individual users. The same goes for methods, such as toString().
Exploiting Prototype Pollution
In the above video we saw that it’s trivial to pollute the toString() method locally and change its behavior when called. Let’s suppose we have the ability to update our user account by making a POST request to an API endpoint. Subsequently, we can call the API endpoint with the attribute to view the value.
POST https://vulnerable.com/user/{id}
GET https://vulnerable.com/user/{id}/{property}Our payload in this case may look something like:
curl -X POST https://vulnerable.com/user/101 -d '{"__proto__": {"isAdmin": "True"}}'When we call the API endpoint to check for isAdmin then we would get the following result:
{ isAdmin: True }So how does this work?
JavaScript uses __proto__ to grab the prototype, and assigns isAdmin to the returned prototype object rather than the user object. In this case, because the user object is using the default Object.prototype, all of the user objects in the current runtime will inherit isAdmin, and the default value we assigned (True).
Prototype Pollution Discovery
First of all, we need a point where we can inject arbitrary properties. In the trivial video example, we are not actually impacting an application, simply overwriting the toString() function locally. In our second example in the previous section we had an API endpoint where we could inject malicious properties. Therefore, the first point of call is discovering a point in the application where we can do this. It could be via the URL, an API endpoint, or other point where we can submit data.
The next step is to inject some property that you can check for. For example, using a similar payload as before {"__proto__": {"foo": "bar"}. Now, in your browser console, you can inspect Object.prototype to see if foo:bar exists in the object.
Having access to source code may also help you identify sensitive properties and how they are used. Tools such as Portswigger’s DOM Invader can also assist in discovering prototype pollution vulnerabilities.
Protecting Against Prototype Pollution Attacks
-
- Input sanitization. A cornerstone of security within your application, we should look to ensure that an attacker can’t inject
__proto__. - Use
Object.freeze(Object.prototype)to prevent the prototype of an object from being modified. - Keeping your dependencies patched. The vulnerability is often not your code, but code that’s included in your application.
- Input sanitization. A cornerstone of security within your application, we should look to ensure that an attacker can’t inject
To learn more about Prototype Pollution, check out our Advanced Web Hacking course in TCM Security Academy.
About the Author: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com