The most frequent functions that leads to Prototype Pollution

We can always go deeper than 1 level with prototype pollution

Unsanatized assigning object properities

const car = Object.assign({}, userInput);

if this input will be provided:

{
    "brand": "Mercedes",
    "model": "CLA AMG 45s",
    __proto__: {
        evilProperty: "payload"
    }
}

That will be the result:

const userInput = {
    brand: "Mercedes",
    model: "CLA AMG 45s",
    __proto__: {
        evilProperty: "payload"
    }
};

// Insecure: directly using Object.assign()
const car = Object.assign({}, userInput);

console.log(car.brand);         // "Mercedes"
console.log(car.model);         // "CLA AMG 45s"
console.log(car.evilProperty);  // undefined

// BUT here's the danger:
console.log({}.evilProperty);   // "payload" ⚠️ -> Prototype Pollution happened

Merging objects

In order for merge function to be vulnerable it has to call itself recursively

Merge of two normal objects:

Merge of normal object and proto polluted object:

object["value"] === object.value (in the __proto__ case we use the brackets notation in order to escape possible runtime errors)

We want __proto__ as a key and object in the {"key" : "value" } structure as a value in order to inject "key" parameter with "value" value to the parent class of the object that is being modified.

aaa

PreviousUnderstand the vulnerabilityNextExploitation

Last updated