How is the prototype pollution vulnerability produced？

What is prototype pollution?

Prototype pollution is a JavaScript security vulnerability that allows attackers to add arbitrary properties to the global object prototype, which may then be inherited by user-defined objects.
Although prototype pollution itself is usually not exploitable as an independent vulnerability, it allows attackers to control those object properties that were originally inaccessible. If the application then handles the properties controlled by the attacker in an unsafe way, this may lead to the combination with other vulnerabilities. In client-side JavaScript, this situation usually leads to DOM-based cross-site scripting (DOM XSS), and on the server side, prototype pollution may even trigger remote code execution.

How is the prototype pollution vulnerability produced?

The prototype pollution vulnerability usually occurs when a JavaScript function recursively merges an object containing user-controllable properties into an existing object without cleaning the keys first. This may allow the attacker to inject a key named__proto__properties, as well as arbitrary nested properties.

Due to__proto__In the JavaScript context, it has special meaning, and the merge operation may assign nested properties to the prototype of the object, rather than the object itself. Therefore, attackers can pollute the prototype by injecting properties containing malicious values, which may be used in a dangerous way by the application.

Although any prototype object may be polluted, this situation most commonly occurs in built-in globalObject.prototypeUp.

Successfully exploiting the prototype pollution vulnerability requires the following key elements:

• Prototype pollution source - this is any input point that allows you to pollute the prototype object by injecting arbitrary properties.

• Pollution reception point (Sink) - in other words, a JavaScript function or DOM element that can cause arbitrary code execution.

• Exploitable tools (Gadget) - these are any properties that are passed to the pollution reception point without proper filtering or cleaning.

Prototype pollution source

The source of prototype pollution is any user-controllable input that allows you to add arbitrary properties to the prototype object. The most common sources include:

1. Through the URL with the query string or fragment string

2. Based on JSON input

3. Web message

Through URL prototype pollution
Consider the following URL that contains a query string constructed by the attacker:

https://vulnerable-website.com/?proto[evilProperty]=payload

When parsing the query string into key-value pairs, the URL parser may treat__proto__as a regular string. But what if you later merge these key-value pairs as properties into an existing object?

You might think that__proto__properties and their nestedevilPropertyproperties, which are simply added to the target object as shown below:

{

existingProperty1: 'foo',

existingProperty2: 'bar',

proto: {

evilProperty: 'payload'

}

}

However, that is not the case. At some point, the recursive merging operation may use an assignment operation similar to the following statement to setevilPropertywith the value:

targetObject.__proto__.evilProperty = 'payload';

in this assignment process, the JavaScript engine will__proto__as the prototype accessor. Therefore,evilPropertywill be assigned to the returned prototype object, rather than the target object itself. Assuming the target object uses the defaultObject.prototypethen all objects will inheritevilPropertyunless they already have a property with the same name.

In practice, injecting a property namedevilPropertyproperties are unlikely to have any effect. However, an attacker can use the same technique to pollute the prototype with properties used by the application or any imported libraries.

via JSON input for prototype pollution

user-controlled objects are typically passed throughJSON.parse()method generates from a JSON string. However,JSON.parse()It will also treat any key in the JSON object as a regular string, including similar__proto__such keys. This provides a potential attack vector for prototype pollution.

Assuming an attacker injects the following malicious JSON via Web message injection, for example:

{

"proto: {

"evilProperty": "payload"

}

}

If throughJSON.parse()method converts this content into a JavaScript object, and the resulting object actually has a key of__proto__of its properties.

const objectLiteral = {proto: {evilProperty: 'payload'}}; const objectFromJson = JSON.parse('{"proto': {"evilProperty": "payload"}}'); objectLiteral.hasOwnProperty('proto); // false objectFromJson.hasOwnProperty('proto); // true

If throughJSON.parse()The created object is then merged into the existing object without proper key cleaning, which can also lead to prototype pollution during the assignment process, as we saw in the previous URL-based example.

Prototype pollution receiver

Prototype pollution receivers are essentially JavaScript functions or DOM elements that you can access through prototype pollution to execute arbitrary JavaScript code or system commands. We have discussed some client receivers in detail in the topic of DOM XSS.

Since prototype pollution allows you to control properties that were originally inaccessible, this may give you access to some additional receivers within the target application. Developers unfamiliar with prototype pollution may mistakenly believe that these properties are not under user control, which means there may be very few filtering or cleaning measures.

Prototype pollution tool

Prototype pollution tools (Gadget) are methods to turn prototype pollution vulnerabilities into actual attacks. They refer to any property that meets the following conditions:

• used by the application in an insecure manner, such as passing it to a receiver without proper filtering or cleaning.

• that can be controlled by an attacker through prototype pollution, i.e., the object can inherit properties added to the prototype by the attacker.

If a property is directly defined on the object itself, it cannot become a tool (Gadget) because the version of the object's properties will take precedence over any malicious version added to the prototype. Some robust websites may explicitly set the prototype of the object tonull, to ensure it does not inherit any properties.

An example of a prototype pollution tool

Many JavaScript libraries accept an object that developers can use to set different configuration options. The library code checks whether developers have explicitly added certain properties to the object, and if so, adjusts the configuration accordingly. If the property representing a specific option does not exist, it typically uses predefined default options. A simplified example might look like this:

let transport_url = config.transport_url || defaults.transport_url;

Now imagine that the library code uses thistransport_urlTo add a script reference to the page.

let script = document.createElement('script');

script.src =$