Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page
  • Understanding JavaScript Prototype Pollution
  • JavaScript Prototypes and Inheritance
  • What is an Object in JavaScript?
  • What is a Prototype in JavaScript?
  • How Does Object Inheritance Work in JavaScript?
  • Modifying Prototypes
  • What is Prototype Pollution?
  • How Do Prototype Pollution Vulnerabilities Arise?
  • Prototype Pollution Sources
  • Prototype Pollution Sinks
  • Prototype Pollution Gadgets
  • Resources

Was this helpful?

Edit on GitHub
  1. Web-AppSec

Prototype Pollution

Understanding JavaScript Prototype Pollution

JavaScript Prototypes and Inheritance

JavaScript uses a prototypal inheritance model, which differs from the class-based inheritance seen in many other programming languages. In this model, every object in JavaScript is linked to a prototype, which is essentially another object from which it inherits properties and methods. Understanding this concept is crucial for grasping how prototype pollution vulnerabilities arise.

What is an Object in JavaScript?

In JavaScript, an object is a collection of key-value pairs, known as properties. For example, consider the following object representing a user:

const user =  {
    username: "wiener",
    userId: 01234,
    isAdmin: false
}

You can access the properties of an object using dot notation or bracket notation:

user.username     // "wiener"
user['userId']    // 01234

These properties can include data or executable functions, referred to as methods.

What is a Prototype in JavaScript?

Every JavaScript object is associated with another object known as its prototype. By default, JavaScript assigns new objects a built-in prototype, such as Object.prototype, String.prototype, or Array.prototype. These prototypes provide useful properties and methods that the object can inherit.

For example:

let myString = "";
Object.getPrototypeOf(myString);    // String.prototype

How Does Object Inheritance Work in JavaScript?

When you reference a property of an object, the JavaScript engine first checks the object itself. If the property doesn’t exist, it then checks the object’s prototype, and if necessary, continues up the prototype chain until it reaches Object.prototype.

For instance:

let myObject = {};
console.log(myObject.toString());   // Inherited from Object.prototype

The prototype chain allows objects to inherit properties and methods from other objects, creating a hierarchy of inheritance.

Modifying Prototypes

In JavaScript, it's possible to modify built-in prototypes, although this is generally considered bad practice. Modifying prototypes allows developers to customize or override the behavior of built-in methods, which can have widespread effects across all objects that inherit from that prototype.

For example, adding a custom method to String.prototype:

String.prototype.removeWhitespace = function(){
    return this.trim();
}

What is Prototype Pollution?

Prototype pollution is a JavaScript vulnerability that allows an attacker to add or modify properties on global object prototypes, which are then inherited by other objects. This can lead to various security issues, such as executing arbitrary code or altering the behavior of applications.

How Do Prototype Pollution Vulnerabilities Arise?

Prototype pollution typically occurs when an application merges user-controllable objects into an existing object without properly sanitizing the keys. This can allow an attacker to inject properties like __proto__, leading to the pollution of the prototype.

For example, if a URL or JSON input allows an attacker to inject __proto__, it might be merged into the target object, leading to:

targetObject.__proto__.evilProperty = 'payload';

As a result, the evilProperty is added to the prototype, affecting all objects that inherit from it.

Prototype Pollution Sources

Common sources of prototype pollution include:

  • URL parameters: An attacker can inject __proto__ via the query string in a URL.

  • JSON input: Malicious JSON can contain __proto__ keys, which when parsed, lead to prototype pollution.

  • Web messages

Prototype Pollution Sinks

A sink is a JavaScript function or DOM element that can execute the malicious properties injected through prototype pollution. For example, if an application uses polluted properties without proper validation, it can lead to vulnerabilities like DOM XSS or even server-side code execution.

Prototype Pollution Gadgets

A gadget is a property that an attacker can control via prototype pollution to execute malicious actions. For example, a library might use a configuration object where an attacker could inject a malicious URL:

let transport_url = config.transport_url || defaults.transport_url;

If an attacker controls transport_url through prototype pollution, they could force the application to load a malicious script.

Resources

PreviousPostMessage SecurityNextClient-Side Prototype Pollution

Last updated 8 months ago

Was this helpful?

🕸️
What is prototype pollution? | Web Security AcademyWebSecAcademy
Logo
JavaScript for bug hunter - prototype pollution vulnerabilityYouTube
Logo