Understand the vulnerability

When it comes to levereging the vulnerablity

During exploitation our objective is to modify the __proto__ property of JavaScript class. If this is possible we should be able to execute malicious JavaScript code either at the client side or server side.

For example:

When we are sending this object to the NodeJS backend

{
    "brand": "Mercedes",
    "model": "CLA AMG 45s"
}

Which becomes an object:

const userInput = {
    brand: "Mercedes",
    model: "CLA AMG 45s"
};

// Creating a Car object based on user input
class Car {
    constructor(brand, model) {
        this.brand = brand;
        this.model = model;
    }

    getDescription() {
        return `${this.brand} ${this.model}`;
    }
}

Our job is to also modify the __proto__ parameter which exist in every object in JavaScript:

{
    "brand": "Mercedes",
    "model": "CLA AMG 45s",
    __proto__: {
        evilProperty: "payload"
    }
}

Which becomes an object:

const userInput = {
    brand: "Mercedes",
    model: "CLA AMG 45s",
    __proto__: {
        evilProperty: "payload"
    }
};

// Insecure: directly using Object.assign()
const car = Object.assign({}, userInput);

console.log(car.brand);         // "Mercedes"
console.log(car.model);         // "CLA AMG 45s"
console.log(car.evilProperty);  // undefined

// BUT here's the danger:
console.log({}.evilProperty);   // "payload" ⚠️ -> Prototype Pollution happened

PreviousJavaScript Prototype Pollution NextThe most frequent functions that leads to Prototype Pollution

Last updated 4 months ago