Following our previous discussion, we will now examine real-world examples of prototype pollution, its potential impact on applications, and key strategies for mitigation. Understanding these risks is essential for maintaining secure and resilient systems.
Example: Via JSON Input
Applications that accept JSON payloads and merge them into objects without proper validation are vulnerable to prototype pollution. Consider the following scenario:
| const user = { name: “johndoe” }; if (user.isAdmin) { // Admin logic } |
An attacker injects the isAdmin property into the __proto__, polluting the global object prototype and granting unauthorized admin access:
| JSON.parse(‘{“__proto__”: {“isAdmin”: true}}’); // Pollutes the prototype console.log(user.isAdmin); // Output: true |
Example: Via URL Input
Applications using query parameters to construct objects are another common target. Consider this Express.js example:
| const express = require(‘express’); const app = express(); app.get(‘/config’, (req, res) => { const config = { …req.query }; res.send(config); }); |
An attacker manipulates the query string to include a __proto__ property, which is parsed by the application backend, polluting the global object prototype:
| http://example.com/config?__proto__[polluted]=true |
Mitigations
1. Sanitize User Inputs
Filter out dangerous properties like __proto__, constructor, and prototype before processing user inputs:
| function sanitizeInput(input) { const forbiddenKeys = [‘__proto__’, ‘constructor’, ‘prototype’]; for (const key in input) { if (forbiddenKeys.includes(key)) { delete input[key]; } } return input; } |
2. Use Secure Libraries
Ensure that utility libraries such as lodash and deepmerge are updated to their latest versions, which often include safeguards against prototype pollution.
3. Avoid Using Object Prototypes
Create objects using Object.create(null) to ensure they do not inherit from Object.prototype.
| const safeObject = Object.create(null); safeObject.key = “value”; |
4. Freeze Prototypes
Freezing object prototypes can prevent modification during runtime, but may cause compatibility issues in some applications.
| Object.freeze(Object.prototype); |
5. Implement Secure Development Practices
Adopt secure coding standards, validate all inputs, and regularly audit code and dependencies for vulnerabilities.
Conclusion
Prototype pollution is a powerful vulnerability that can compromise the integrity and security of JavaScript applications. By understanding its real-world implications and implementing robust mitigation strategies, developers can protect their applications from potential attacks. Prioritize secure coding practices, stay vigilant with dependency updates, and adopt proactive measures to mitigate this threat effectively. Consultants from Hexadius can provide expert guidance to help secure your applications, identify vulnerabilities, and ensure your systems remain resilient against emerging threats. Contact us today to strengthen your security posture.
Reference: https://portswigger.net/web-security/prototype-pollution
