Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • What is Prototype Pollution?
  • Huh??? What is a prototype? What does it do? Why is there such a thing?
  • JavaScript prototypes and inheritance
  • Object in JavaScript
  • How does object inheritance work in JavaScript?
  • Prototype in JavaScript
  • Modifying an object's prototype
  • So how does Prototype Pollution works?
  • Interview Questions
  • Author
  • References
  1. Web

Prototype Pollution - Part 1

Part 1 of exploring the Prototype Pollution vulnerability.

PreviousWhat happened when enter domain name in browserNextPrototype Pollution - Part 2

Last updated 2 months ago

What is Prototype Pollution?

Prototype Pollution is a JavaScript vulnerability that allows attackers to add arbitrary properties to global object prototypes which may then be inherited by user-defined objects.

Just to note, Prototype Pollution cannot be exploited as a standalone vulnerability. In fact, when it was discovered, many security researchers thought that the way that it can be exploited is very theoretical and it won't happen in reality but history has proven them wrong . So why do researchers feel that it is theoretical? It is because Prototype Pollution allows attacker to control properties of objects that would otherwise be inaccessible. However, if the application handles an attacker-controlled property in an unsafe way, Prototype Pollution could be chained with other vulnerabilities and it can lead to deadly consequences! If it is client-slide, it will usually lead to a DOM XSS vulnerability. If it is server-side, it can lead to remote code execution (RCE).

Huh??? What is a prototype? What does it do? Why is there such a thing?

To understand how it works, we need to be familiar with how prototype and inheritance work in JavaScript. So Imma give a crash course.

JavaScript prototypes and inheritance

Unlike Java, JavaScript uses a prototype inheritance model which works differently from the class-based model which we are used to in languages like C#, Java or Golang. Both are different styles of Object-Oriented Programming (OOP). Below is a table that shows the differences:

Feature
Prototype Inheritance Model
Class-Based Model

Definition

Objects inherit directly from other objects aka prototypes.

Objects are instances of classes that define a blueprint.

Programming Languages

JavaScript.

Java, C#, Golang and many others.

Inheritance Mechanism

Use object prototypes where objects inherit properties directly from other objects.

Uses classes and instances, where objects are instantiated from a class.

Object Creation

Objects are created by cloning other objects.

Objects are instantiated from class templates.

Method Sharing

Methods are shared via the prototype chain.

Methods belong to the class and are inherited by instances.

Encapsulation

Less enforced; any object can modify its prototype chain.

More structured, with class-based encapsulation mechanisms.

Object in JavaScript

A JavaScript object is essentially just a collection of key:value pairs known as "properties". It is similar to JSON. Properties can include data and as well as executable functions. This function can also be known as a method.

const user = {
    username: "frost",
    userId: 1,
    isAdmin: false,
    exampleMethod: doFunction() {
        // something 
    }
}

To access these properties we can use the following:

// dot notation 
user.username

// bracket notation
user["username"]

How does object inheritance work in JavaScript?

When you reference a property of an object, the JavaScript engine will first try to find it in the object. If it is not there, it will look for it in the object's prototype. In this example from the picture above, I can reference myObject.propertyA .

Prototype in JavaScript

Every object in JavaScript is linked to another object of some kind, this is known as its prototype. Since JavaScript is a prototype inheritance model, every new object will be automatically assigned to one of JavaScript's built-in prototypes. For example, strings are automatically assigned to the built-in String.prototype. 

let myObject = {};
Object.getPrototypeOf(myObject); // Returns Object.prototype

let myString = "";
Object.getPrototypeOf(myString); // Returns String.prototype

let myNumber = 1;
Object.getPrototypeOf(myNumber); // Returns Number.prototype

As we know, these objects will automatically inherit all of the properties of their assigned prototype, unless they already have their own property with the same key. This helps developers to create new objects that can be reuse the properties and methods of existing objects.

Prototype Chain

As everything in JavaScript is an object, this chain leads back to the top level Object.prototype, whose prototype is a null.

Another thing we should take note of is that objects don't just inherit properties from their immediate prototype, they also inherit properties from all the objects above them in the prototype chain.

How can we access an object's prototype?

Each object has a special property that you can use to access its prototype. We can use __proto__! __proto__ serves as both the getter and setter for the object's prototype. This means that you can use it to read the prototype and even change it!

username.__proto__
username['__proto__']

We can even chain the prototype of an object!

username.__proto__                            // String.prototype
username.__proto__.__proto__                  // Object.prototype
username.__proto__.__proto__.__proto__        // null

Modifying an object's prototype

Since __proto__ is used as a getter and setter, it is possible to modify JavaScript's built-in prototypes. This also means that developers can customize or override the behaviour of built-in methods and even add new methods to perform useful operations.

So how does Prototype Pollution works?

Prototype pollution vulnerabilities arise when a JavaScript function recursively merges an object that contains user-controllable properties into an existing object without sanitizing the keys! This allows attackers to inject a property with a key like __proto__ along with arbitrary nested properties.

Because __proto__ has a special meaning, the merge operation may assign the nested properties to the object's prototype instead of the target object itself! This allows the attacker to pollute the prototype with properties that contain values which can be used by the application in a dangerous way.

To exploit this successfully, we need a few key components:

  • A prototype pollution source - This is any input that enables you to poison the prototype objects with arbitrary properties.

  • A sink - a JavaScript function or DOM element that enables arbitrary code execution.

  • An exploitable gadget - Basically any properties that is passed into a sink without proper sanitization.

I will continue on how we can exploit Prototype Pollution in another Part 2 article.

Interview Questions

  • What is Prototype pollution?

  • How does prototype-inheritance model contribute to the Prototype pollution vulnerability?

  • How does the prototype chain relate to prototype pollution?

Author

References

  • Offsec - Advanced Web Attacks and Exploitation

Frost

😢
🤔
❄️
https://portswigger.net/web-security/prototype-pollution
Credits: PortSwigger
Credits: PortSwigger
A typical Prototype pollution attack flow Credits: PortSwigger