What Is Prototype Pollution?
This vulnerability is called prototype pollution because it allows threat actors to inject values that overwrite or pollute the “prototype” of a base object. This malicious prototype can pass to many other objects that inherit that prototype. Once threat actors can control the default values of the object’s properties, they can tamper with the application’s logic. This can lead to Denial of Service (DoS) or remote code execution (RCE).
How Do Prototype Pollution Vulnerabilities Happen?
Prototype Pollution Security Risks
- Denial of Service (DoS)—a prototype pollution attack can enable threat actors to perform DoS against a targeted user in a client-side attack or on the web server that hosts the application.
- A starting point for additional attacks—a prototype pollution attack allows threat actors to leverage other components (Gadgets) loaded in the same context. It enables them to initiate complex attacks and potentially escalate their privileges or gain access to sensitive information.
Exploiting prototype pollution vulnerabilities can be complex. It typically requires a deep analysis of the application logic to determine the attack’s impact. However, server-side exploitation can lead to severe consequences, including remote code execution (RCE), SQL injection (SQLi), and authorization and authentication bypass.
Prevent All Changes to the Prototype
You can also install the nopp npm package to automatically freeze all common object prototypes.