Prototype Pollution Vulnerability - ties2/web-pentest GitHub Wiki

Wiki Prototype Pollution is a type of security vulnerability that affects applications that use JavaScript Object Notation (JSON) objects. It occurs when an attacker can manipulate or inject properties and methods into an object's prototype chain, leading to unexpected or malicious behavior in the application.

There are different types of Prototype Pollution vulnerabilities, which include:

Property Pollution: This occurs when an attacker injects properties into an object that overwrite or modify existing properties, leading to unexpected behavior. For example, consider the following code:

let obj = {}; Object.prototype.toString = () => "Hello!"; obj.toString(); // "Hello!"

Here, an attacker has injected a toString method into the Object prototype, which is then called by the obj.toString() method, leading to unexpected behavior.

Constructor Pollution: This occurs when an attacker can manipulate the constructor of an object, leading to unexpected or malicious behavior. For example, consider the following code:

function Person(name) { this.name = name; }

let obj = {}; Person.prototype.constructor = Object; obj instanceof Person; // false

Here, an attacker has modified the constructor property of the Person.prototype, leading to unexpected behavior when checking the instance of the obj object.

Prototype Override: This occurs when an attacker can completely replace an object's prototype with a new one, leading to unexpected or malicious behavior. For example, consider the following code:

function Person(name) { this.name = name; }

let obj = {}; Person.prototype = obj; let person = new Person("Alice"); person instanceof Person; // false

Here, an attacker has completely replaced the Person.prototype with the obj object, leading to unexpected behavior when creating a new instance of the Person object.

In summary, Prototype Pollution vulnerabilities are serious security risks that can lead to unexpected or malicious behavior in an application. Developers can mitigate these risks by validating user input, sanitizing data, and using libraries and frameworks that are designed to prevent these types of vulnerabilities.

prevent prototype pollution vulnerability

Use input validation and sanitization to prevent prototype pollution attacks, use libraries that have built-in protection against prototype pollution.Wiki Prototype Pollution is a type of security vulnerability that affects applications that use JavaScript Object Notation (JSON) objects. It occurs when an attacker can manipulate or inject properties and methods into an object's prototype chain, leading to unexpected or malicious behavior in the application.