One of the lesser-known security flaws is prototype pollution. In 2017, scholars began talking about it as a possible attack vector, and by the beginning of 2018, the first exposures had been identified in the wild.
What are the risks associated with Prototype Pollution exploit, and how may they be reduced? This article will explore these questions in detail.
Prototype Pollution Definition
Cyberpunks can inject variables that nullify or befoul the archetype of a base object, leading to a susceptibility known as Property Injection. This pernicious paradigm can be passed to numerous objects that inherit from it. If hackers can change the predefined settings of an object's attributes, they can alter the application's logic. This can result in a denial of service (DoS) or remote code execution (RCE).
How Do Prototype Pollution Vulnerabilities Arise?
The European Computer Manufacturers Association (ECMA) released the ECMAScript2015, 6th Edition requirements, which included the notion of prototype pollution. With the help of these guidelines, a universal ECMAScript standard has been established.
One such feature that has been standardized is the __proto__ attribute, which is used to recognize an object's criterion. All items in ECMAScript now have this quality, and __proto__ is an item description in and of itself. The term "prototype" is employed to describe the technique that permits ECMAScript objects to share assets.
Except for "primitives," everything you type in ECMAScript is an object. In addition, they can be nested within one another, and objects can inherit Prototypes from one another. Such a chain is exactly what it sounds like.
Sources Of Pollution of The Prototype
All user-manipulable inputs that confer the capability to endow prototype matters with arbitrary characteristics are examples of sources of prototype poisoning. The most representative examples come from:
The query or fragment (hash) URL.
Using JSON-based input.
Via The URL
Here's an example of an attack-generated query string inserted into a URL:
In the process of decomposing the query string into key:value pairs, a URL parser can mistake __proto__ for any old thing. Let's see, however, what transpires when these values and keys are then included in an existing item as attributes.
Adding the __proto__ property and its nested evilProperty to the target object can seem like a simple operation.
This is not the case, though. The evilProperty value could be assigned at any stage in the recursive merging operation with a statement like this one:
targetObject.__proto__.evilProperty = 'payload';
In most cases, inserting a property with the name "evilProperty" won't have any noticeable impact. A malicious actor, however, may use the same method to inject properties into the prototype that the package or any imported libraries depend on.
Via JSON Input
The JSON.parse() method is commonly used to transform a JSON string into a user-manipulatable object. Curiously, JSON.parse() interprets any key in the JSON object, including special keys like __proto__, as a string. This opens up a new avenue for the spread of harmful prototypes.
For illustration, consider the following malicious JSON that could be injected via a web message from an attacker:
As we saw in the preceding example based on a URL, prototype pollution can occur during assignment if the object formed by JSON.parse() is then merged into a prevailing object without sufficient key sanitization.
Safety Risks Arising from Prototype Pollution
A prototype pollution attack enables hackers to conduct DoS against a targeted user in a client-side attack or on the web server hosting the application.
A prototype pollution outbreak can add or alter an attribute to trigger unanticipated behavior. It may cause certain logic to malfunction.
A starting point for subsequent assaults
A prototype pollution outbreak enables hackers to leverage other components (Gadgets) stored in the same scenario. They can now launch sophisticated attacks and potentially get even more access or elevate their privileges.
Threat actors initiate property injection exploitation by implanting a payload into a constructor of client-side logic or application rendering, such as a URL. For instance, a URL parser may assign qualities to ECMAScript objects without checking to ensure that the target property is properly linked to the object test case.
Multiple attacks, including cross-site scripting (XSS), are possible through client-side exploitation of a prototype pollution vulnerability. Here, they want a device dependent on the quality of a substance that is easily tainted by pollution. Client-side prototype pollution ECMAScript encryption execution can be triggered by threat actors if the object interacts with the page's document object model (DOM).
When malicious actors take advantage of liabilities in prototype pollution to alter the attributes of an item archetype using tools from the software environment, this is known as server-side manipulation. Server-side execution of the maliciously modified ECMAScript runtime objects has far more serious consequences than assaults on client-side systems.
It can be difficult to deed prototype contamination weaknesses. Understanding the full scope of the assault often calls for dissecting the application's logic. Nonetheless, server-side exploitation can result in severe consequences, such as RCE, SQL injection (SQLi), and authorization and authentication evasion.
Prototype Pollution Example
It is a susceptibility in LiveScript that occurs when a hacker injects a malicious object into a package’s prototype chain. This can cause unexpected behavior or infosec issues.
In this illustration, the hacker adds the isAdmin property to the archetype of myObject. When isAdmin is accessed on myObject, it returns true. To prevent this type of attack, input validation and sanitization should always be performed on user input.
Prototype Pollution Mitigation
Most significantly, our codebase should follow excellent programming practices.
Since client-side vulnerabilities dominate, user input sanitization is vital.
Update libraries and run npm audits to check for vulnerabilities.
A frozen object cannot be altered, hence the Object.freeze() method should be used. Freezing an item prevents its prototype from changing.
The data structure map, introduced in EcmaScript 6 (ES6), functions as a hashmap (key-value pairs) without the security issues of Objects.
Finally, constructing objects without prototype properties, such as Object.create(null), will not affect the archetype chain and reduce prototype pollution.
API Security Infrastructure, WAAP, apps, and serverless workloads functioning in cloud-native settings are all well protected by Wallarm technologies developed by security specialists for professionals.
Wallarm is used by hundreds of privacy and Developers worldwide because it provides them with unprecedented insight into vicious outreach, broad security across their entire API selection, and computerized event retort for product defence initiatives.
What is prototype pollution?
Prototype pollution is a vulnerability that arises when attackers modify the prototype of an object in the code to execute malicious actions. By manipulating the prototype chain, attackers can gain unauthorized access to sensitive data and systems.
How does prototype pollution occur?
Prototype pollution occurs when attackers are able to inject malicious code into the prototype chain of an object in the code. This injection can come from user input or unsecured third-party libraries used in the code.
What are the consequences of prototype pollution?
The consequences of prototype pollution can be severe, including data theft, system crashes, and unauthorized access to systems and networks. Attackers can also use prototype pollution to gain further access to a system and plant persistent threats.
What is OWASP's recommended approach to preventing prototype pollution?
According to OWASP, developers should use a defense-in-depth approach to prevent prototype pollution, including input validation, escaping user input, sanitizing data, and implementing strict code reviews. (source)
How can I prevent prototype pollution?
Developers can prevent prototype pollution by conducting code reviews and implementing secure coding practices. They should also use trusted third-party libraries or sanitize user input before it is used in the code.