• Komodo Research

Prototype Pollution - The Vulnerability Impacting JavaScript Applications

Updated: Oct 20

Prototype pollution attack is a rather new and slightly unfamiliar vulnerability. In the last few years, we have benefitted from several good researchers about the subject and plenty of valuable resources are available online about prototype pollution vulnerability.

However, even after reading these articles the vulnerability remains a bit of a mystery. To start with, one should understand the concept of ‘object oriented’ and the way it is implemented in JavaScript (which is different from ‘classical object-oriented languages’ such as Java or C++). Then we need to understand, why would any developer allow internal properties of an object to be controlled by user input and even so, how can one truly use it to exploit an application?

Hence, we at Komodo Consulting have built a small app that uses a vulnerable JavaScript library. You can play with it, debug it, view the prototype chain and most importantly, hack the application and gain RCE.

Well… not exactly RCE. We decided to build a client-side application, so you get to run arbitrary JavaScript inside a browser. However, the same logic may apply to server-side. The client-side choice is to make it simpler and reachable for everyone. All you need is a browser and you are good to go.

If you dig into the app you would notice that you run with the context of a regular user: John Doe. This user is allowed to merge objects using a vulnerable library – hence is capable of elevating privileges to admin and running arbitrary JavaScript code.

Checkout the app. Have fun!

For a detailed study of the attack I highly recommend reading Oliver Artueau’s research Prototype pollution attack in NodeJS application

Komodo is a high-end cyber security firm that specializes in Infrastructure and Application Security. We make Cyber Security Simple.

With thousands of successful Penetration Testing and Red Team projects for more than 100 happy clients, you're in the right hands.