Kingdom: Input Validation and Representation
Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
Prototype Pollution
Abstract
The application allows a user to pollute the prototype.
Explanation
Prototype pollution is an attack that allows a malicious user to overwrite the prototype of an object.
To understand prototype pollution, you must first understand prototypal inheritance. Prototypes and the prototype chain is used as a lookup for properties and functions in JavaScript, providing inheritance. When attempting to access a property on a given object, the current object definition is checked. If the current object does not define the property, the prototype class is checked. The prototypes are recursively checked until either the property is found, or there are no more prototypes set.
Because most objects in JavaScript by default have a prototype pointing to
If the application (or any of its dependencies) relies on the fact that properties can be
Prototype pollution occur can when:
1. Data enters a program from an untrusted source.
2. The data is passed to an API that allows overwriting the prototype.
Example 1: The following code uses a vulnerable version of
At this point, if the untrusted input is
Consider the following code that exists later in the application.
Even though
Unfortunately, as the prototype has been polluted, the prototype of
To understand prototype pollution, you must first understand prototypal inheritance. Prototypes and the prototype chain is used as a lookup for properties and functions in JavaScript, providing inheritance. When attempting to access a property on a given object, the current object definition is checked. If the current object does not define the property, the prototype class is checked. The prototypes are recursively checked until either the property is found, or there are no more prototypes set.
Because most objects in JavaScript by default have a prototype pointing to
Object.prototype, if an attacker can overwrite the prototype of an object, they can typically overwrite the definition of Object.prototype, affecting all objects within the application.If the application (or any of its dependencies) relies on the fact that properties can be
undefined rather than always being explicitly set, then if the prototype has been polluted, the application might inadvertently read from the prototype instead of the intended object.Prototype pollution occur can when:
1. Data enters a program from an untrusted source.
2. The data is passed to an API that allows overwriting the prototype.
Example 1: The following code uses a vulnerable version of
lodash to pollute the prototype of the object:
import * as lodash from 'lodash'
...
let clonedObject = lodash.merge({}, JSON.parse(untrustedInput));
...
At this point, if the untrusted input is
{"__proto__": { "isAdmin": true}}, then Object.prototype will have defined isAdmin = true.Consider the following code that exists later in the application.
...
let config = {}
if (isAuthorizedAsAdmin()){
config.isAdmin = true;
}
...
if (config.isAdmin) {
// do something as the admin
}
...
Even though
isAdmin should only be set to true if isAuthorizedAdmin() returns true, because the application fails to set config.isAdmin = false in the else condition, it relies upon the fact that config.isAdmin === undefined === false.Unfortunately, as the prototype has been polluted, the prototype of
config has now set isAdmin === true, which allows the administrator authorization to be bypassed.References
[1] Olivier Arteau Prototype pollution attack.
[2] Open Web Application Security Project (OWASP) Prototype Pollution Prevention Cheat Sheet
[3] Standards Mapping - Common Weakness Enumeration CWE ID 1321
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.5.2 Input and Output Architectural Requirements (L2 L3), 5.1.2 Input Validation Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
desc.dataflow.javascript.prototype_pollution