Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Prototype Pollution

One of the lesser-known security flaws is prototype pollution. In 2017, scholars began talking about it as a possible attack vector, and by the beginning of 2018, the first exposures had been identified in the wild. 

What are the risks associated with Prototype Pollution exploit, and how may they be reduced? This article will explore these questions in detail.

Prototype Pollution

Prototype Pollution Definition

The prototype override flaw permits malicious actors to take advantage of JavaScript environments. It is an effort to hack aby malicious actors that inject properties into preexisting JavaScript build prototypes.

Cyberpunks can inject variables that nullify or befoul the archetype of a base object, leading to a susceptibility known as Property Injection. This pernicious paradigm can be passed to numerous objects that inherit from it. If hackers can change the predefined settings of an object's attributes, they can alter the application's logic. This can result in a denial of service (DoS) or remote code execution (RCE).

How Do Prototype Pollution Vulnerabilities Arise?

The European Computer Manufacturers Association (ECMA) released the ECMAScript2015, 6th Edition requirements, which included the notion of prototype pollution. With the help of these guidelines, a universal ECMAScript standard has been established.

One such feature that has been standardized is the __proto__ attribute, which is used to recognize an object's criterion. All items in ECMAScript now have this quality, and __proto__ is an item description in and of itself. The term "prototype" is employed to describe the technique that permits ECMAScript objects to share assets.

Except for "primitives," everything you type in ECMAScript is an object. In addition, they can be nested within one another, and objects can inherit Prototypes from one another. Such a chain is exactly what it sounds like.

When a hacker modifies the __proto__ attribute, usually by inserting a new archetype, this is known as archetype tampering. All JavaScript items now have the __proto__ feature, and since all entities inherit from Prototypes, each new Prototype automatically becomes a part of the prototype chain.

This clarifies that an adversarial player might inject attributes into a preexisting JavaScript cipher, developing a JavaScript exception that could usher to DoS, noxious code that obtains REC, or other disastrous effects.

Prototype Pollution example

Sources Of Pollution of The Prototype

All user-manipulable inputs that confer the capability to endow prototype matters with arbitrary characteristics are examples of sources of prototype poisoning. The most representative examples come from:

  • The query or fragment (hash) URL.
  • Using JSON-based input.
  • Online messages.
  • Via The URL  

Here's an example of an attack-generated query string inserted into a URL:[evilProperty]=payload

In the process of decomposing the query string into key:value pairs, a URL parser can mistake __proto__ for any old thing. Let's see, however, what transpires when these values and keys are then included in an existing item as attributes.

Adding the __proto__ property and its nested evilProperty to the target object can seem like a simple operation.

{ existingProperty1: 'foo', existingProperty2: 'bar', __proto__: { evilProperty: 'payload' } }

This is not the case, though. The evilProperty value could be assigned at any stage in the recursive merging operation with a statement like this one:

targetObject.__proto__.evilProperty = 'payload';

The JavaScript engine interprets __proto__ as a getter for the prototype during this assignment. The returned archetype object, rather than the intended target object, receives the evilProperty. All items in the ECMAScript runtime will now inherit evilProperty unless they already have a property with the same key. This is true even if the target object overrides the default Object.prototype.

In most cases, inserting a property with the name "evilProperty" won't have any noticeable impact. A malicious actor, however, may use the same method to inject properties into the prototype that the package or any imported libraries depend on.

  • Via JSON Input

The JSON.parse() method is commonly used to transform a JSON string into a user-manipulatable object. Curiously, JSON.parse() interprets any key in the JSON object, including special keys like __proto__, as a string. This opens up a new avenue for the spread of harmful prototypes.

For illustration, consider the following malicious JSON that could be injected via a web message from an attacker:

{ "__proto__": { "evilProperty": "payload" } }

A property with the key __proto__ will be present in the final JavaScript object if this is parsed using the JSON.parse() function.

const objectLiteral = {__proto__: {evilProperty: 'payload'}}; const objectFromJson = JSON.parse('{"__proto__": {"evilProperty": "payload"}}'); objectLiteral.hasOwnProperty('__proto__'); // false objectFromJson.hasOwnProperty('__proto__'); // true

As we saw in the preceding example based on a URL, prototype pollution can occur during assignment if the object formed by JSON.parse() is then merged into a prevailing object without sufficient key sanitization.

Safety Risks Arising from Prototype Pollution

Prototype tampering weaknesses may occur on both the client and server sides of a web package due to the portability of JavaScript. As a result, the severity and breadth of harm caused by prototype attacks might vary substantially from one application to the next. Here are a few illustrations:

A prototype pollution attack enables hackers to conduct DoS against a targeted user in a client-side attack or on the web server hosting the application.

  • Obstructing the JavaScript circumstances

A prototype pollution outbreak can add or alter an attribute to trigger unanticipated behavior. It may cause certain logic to malfunction.

  • A starting point for subsequent assaults

A prototype pollution outbreak enables hackers to leverage other components (Gadgets) stored in the same scenario. They can now launch sophisticated attacks and potentially get even more access or elevate their privileges. 

  1. Client-Side Exploitation

Threat actors initiate property injection exploitation by implanting a payload into a constructor of client-side logic or application rendering, such as a URL. For instance, a URL parser may assign qualities to ECMAScript objects without checking to ensure that the target property is properly linked to the object test case.

Multiple attacks, including cross-site scripting (XSS), are possible through client-side exploitation of a prototype pollution vulnerability. Here, they want a device dependent on the quality of a substance that is easily tainted by pollution. Client-side prototype pollution ECMAScript encryption execution can be triggered by threat actors if the object interacts with the page's document object model (DOM).

  1. Server-Side Exploitation

When malicious actors take advantage of liabilities in prototype pollution to alter the attributes of an item archetype using tools from the software environment, this is known as server-side manipulation. Server-side execution of the maliciously modified ECMAScript runtime objects has far more serious consequences than assaults on client-side systems.

It can be difficult to deed prototype contamination weaknesses. Understanding the full scope of the assault often calls for dissecting the application's logic. Nonetheless, server-side exploitation can result in severe consequences, such as RCE, SQL injection (SQLi), and authorization and authentication evasion.

Prototype Pollution Example 

It is a susceptibility in LiveScript that occurs when a hacker injects a malicious object into a package’s prototype chain. This can cause unexpected behavior or infosec issues.

Here's a simple code example that demonstrates JavaScript prototype pollution:

const myObject = {}; myObject.__proto__.isAdmin = true; console.log(myObject.isAdmin); // true

In this illustration, the hacker adds the isAdmin property to the archetype of myObject. When isAdmin is accessed on myObject, it returns true. To prevent this type of attack, input validation and sanitization should always be performed on user input.

Prototype Pollution Mitigation

  • Most significantly, our codebase should follow excellent programming practices.
  • Since client-side vulnerabilities dominate, user input sanitization is vital.
  • Update libraries and run npm audits to check for vulnerabilities.
  • Avoiding repetitive merges decreases susceptibility.
  • A frozen object cannot be altered, hence the Object.freeze() method should be used. Freezing an item prevents its prototype from changing.
  • The data structure map, introduced in EcmaScript 6 (ES6), functions as a hashmap (key-value pairs) without the security issues of Objects.
  • Finally, constructing objects without prototype properties, such as Object.create(null), will not affect the archetype chain and reduce prototype pollution.

Wallarm Will Help Prevent Javascript Attacks

Wallarm can help stop any JavaScript attacks that try to take advantage of a weakness in prototype pollution.

API Security Infrastructure, WAAP, apps, and serverless workloads functioning in cloud-native settings are all well protected by Wallarm technologies developed by security specialists for professionals.

Wallarm is used by hundreds of privacy and Developers worldwide because it provides them with unprecedented insight into vicious outreach, broad security across their entire API selection, and computerized event retort for product defence initiatives.


What is prototype pollution?
How does prototype pollution occur?
What are the consequences of prototype pollution?
What is OWASP's recommended approach to preventing prototype pollution?
How can I prevent prototype pollution?


ECMAScript 6 -

Subscribe for the latest news

February 26, 2024
Learning Objectives
Subscribe for
the latest news
Related Topics