{"id":10281,"date":"2024-08-06T11:34:25","date_gmt":"2024-08-06T09:34:25","guid":{"rendered":"https:\/\/www.vaadata.com\/blog\/?p=10281"},"modified":"2024-08-06T11:34:28","modified_gmt":"2024-08-06T09:34:28","slug":"what-is-prototype-pollution-exploitations-and-security-tips","status":"publish","type":"post","link":"https:\/\/www.vaadata.com\/blog\/what-is-prototype-pollution-exploitations-and-security-tips\/","title":{"rendered":"What is Prototype Pollution? Exploitations and Security Tips"},"content":{"rendered":"
\n
\"What<\/figure>\n<\/div>\n\n\n

Prototype pollution vulnerabilities are specific to JavaScript. They can be exploited on both the server and client sides. These vulnerabilities allow attackers to execute malicious code or steal data.<\/p>\n\n\n\n

It is therefore crucial to understand and address these vulnerabilities. This article details the principles of prototype pollution vulnerabilities, server-side and client-side exploits, as well as the measures to implement to counter these attacks.<\/p>\n\n\n\n\n\n\n\n

What is Prototype Pollution?<\/h2>\n\n\n\n

As mentioned in the introduction, “prototype pollution” vulnerabilities are specific to JavaScript due to its particular management of objects. This reduces the likelihood of exploitation on the server side.<\/p>\n\n\n\n

On the other hand, the attack surface on the client side is much greater, as JavaScript is universally used by modern browsers.<\/p>\n\n\n\n

To understand this security vulnerability, it is important to explain how objects are instantiated and what prototypes are in JavaScript.<\/p>\n\n\n\n

Javascript objects and prototypes<\/h3>\n\n\n\n

Object-oriented development is a programming paradigm based on objects. Objects are sets of data contained in fields. They can represent concrete concepts, such as a car, or abstract concepts, such as a widget.<\/p>\n\n\n\n

JavaScript allows objects to be used. They can be created as follows:<\/p>\n\n\n\n

car = {color : \u00ab red \u00bb, power : \u00ab 90ch \u00bb}<\/code><\/pre>\n\n\n\n
The object thus created has 2 properties<\/strong>: “color” and “power”. These properties are of string type, but they could also be an integer, a Boolean, a function or even another object.<\/p>\n\n\n\n
In JavaScript, all objects automatically have basic functionality thanks to the prototype<\/strong> mechanism.<\/p>\n\n\n\n
\"\"
Prototype of the “car” object<\/figcaption><\/figure>\n\n\n
\n
\"\"
toString() property<\/figcaption><\/figure>\n<\/div>\n\n\n
Here we can see that the object already has the toString() function, even though it hasn’t been explicitly defined. This is made possible by the prototype of the “car” object.<\/p>\n\n\n\n
This prototype can be accessed using:<\/p>\n\n\n\n
car.__proto__<\/code><\/pre>\n\n\n\n
Basics of prototype pollution<\/h3>\n\n\n\n
It is possible to rewrite the object’s properties, which take precedence over the prototype’s properties. For example, you can create a custom toString() function. This process is called shadowing.<\/p>\n\n\n\n
A “Prototype Pollution” vulnerability occurs when the user can modify the prototype’s properties.<\/p>\n\n\n\n
By changing the prototype of an object, a user can impact all the other objects.<\/p>\n\n\n\n
Using the previous example:<\/p>\n\n\n\n
\"\"
Pollution of another object<\/figcaption><\/figure>\n\n\n\n
The toString() function has been modified, and all objects inherit from this new function.<\/p>\n\n\n\n
Let’s take a look at the impact this can have in concrete exploitations on both the server and client sides.<\/p>\n\n\n\n
Exploiting Server-Side Prototype Pollution<\/h2>\n\n\n\n
This type of vulnerability often exists because of vulnerable libraries. We are going to look at a simple exploitation of a Prototype Pollution, but one that nevertheless has an impact.<\/p>\n\n\n\n
Context<\/h3>\n\n\n\n
A role system is quite common in an application. Let’s imagine a simple system with three roles:<\/p>\n\n\n\n