Prototype Pollution

Overview

Prototype Pollution is a JavaScript vulnerability where an attacker can inject properties into an object's prototype. This can lead to property injection, denial of service, and in some cases remote code execution.

The attack targets JavaScript runtime behavior where Object.prototype is modified to affect all objects in the application.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Prototype Pollution:

{ "__proto__": { "isAdmin": true } }

JSON.parse('{"__proto__": {"isAdmin": true}}')

?__proto__[isAdmin]=true

?constructor[prototype][isAdmin]=true

merge(target, { "__proto__": { "polluted": true } })

Object.assign({}, JSON.parse('{"__proto__": {"polluted":true}}'))

Tools & Techniques

Recommended tools for Prototype Pollution:

• Testing via JSON.parse with __proto__ key
• Testing via merge/clone library functions
• Testing via URL query parameters with __proto__ syntax
• Server-Side Prototype Pollution Scanner (Burp extension)
• Check Node.js applications using vulnerable merge functions

Prevention & Mitigation

Security recommendations to prevent Prototype Pollution:

• Use Object.create(null) for objects that should not inherit
• Use libraries that filter __proto__ keys (lodash.merge > v4.6.2)
• Use Object.freeze(Object.prototype) to prevent modifications
• Use Map instead of plain objects for unchecked key-value stores
• Validate and sanitize JSON input with JSON Schema
• Avoid recursive merge/clone operations on untrusted data

References

Additional resources:

• https://portswigger.net/web-security/prototype-pollution
• https://github.com/HoLyVieR/prototype-pollution-doc
• https://owasp.org/www-community/attacks/Prototype_Pollution