• Komodo Research

Prototype Pollution - The Vulnerability Impacting JavaScript Applications

Updated: Jan 14

Prototype pollution attack is a relatively new and slightly unfamiliar vulnerability. However, in the last few years, we have benefitted from several good researchers about the subject, and plenty of valuable resources are available online about prototype pollution vulnerability.

Nevertheless, even after reading these articles, the vulnerability remains a bit of a mystery. First, one should understand the concept of ‘object oriented’ and how JavaScript implements it (different from ‘classical object-oriented languages’, such as Java or C++). Then we need to understand why any developer would allow user input to control the internal properties of an object. Finally, how can one genuinely use it to exploit an application?

Hence, we at Komodo Consulting have built a small app that uses a vulnerable JavaScript library. So, you can play with it, debug it, view the prototype chain, and most importantly, hack the application and gain RCE.

Well, not exactly RCE. We decided to build a client-side application, to run arbitrary JavaScript inside a browser. However, the same logic may apply to the server-side. The client-side choice is to make it simpler and reachable for everyone. All you need is a browser, and you are good to go.

If you dig into the app, you will notice that you run with the context of a regular user: John Doe. This user is allowed to merge objects using a vulnerable library – hence is capable of elevating privileges to admin and running arbitrary JavaScript code.

Check the app out. Have fun!

For a detailed study of the attack, I highly recommend reading Olivier Arteau's research Prototype pollution attack in NodeJS application.

Komodo is a high-end cyber security firm specializing in Infrastructure and Application Security. We make Cyber Security Simple.

With thousands of successful Penetration Testing and Red Team projects for more than 100 satisfied clients, you're in the right hands.