Prototype Pollution - A JavaScript Attack Technique

Prototype Pollution

A JavaScript Attack Technique

Andrea Hauser
by Andrea Hauser
on January 19, 2023
time to read: 12 minutes

Keypoints

How to Exploit Prototype Pollution

  • JavaScript Prototype Pollution allows the object prototype to be attacked
  • This allows client-side cross-site scripting and server-side remote code execution vulnerabilities to be exploited
  • Manual identification in minified JavaScript code is difficult or virtually impossible, however good tooling is available
  • Developers have a variety of ways to protect against the vulnerability

JavaScript Prototype Pollution is a JavaScript vulnerability that can be used to add properties to the global prototype; don’t worry if this doesn’t mean anything to you, this article goes into the necessary JavaScript basics. This vulnerability can in the worst case be exploited client-side for cross-site scripting and server-side for remote code execution.

This section describes JavaScript basics. If you are already familiar with JavaScript, you can easily skip this section.

What is an Object in JavaScript?

An object is actually just a collection of properties, where properties are key:value pairs. An object looks like this:

var exampleObject = {
    test: "value",
    exampelMethod: function() {
        //do something here
        console.log("test")
    }
}

The properties of an object can be accessed as follows:

exampleObject.test

or

exampleObject['test']

and the method of an object can be accessed as follows:

exampleObject.exampleMethod();

The example above is an explicitly declared object, but in JavaScript almost everything is based on objects in the background. This is solved via the prototype.

What is the JavaScript Prototype?

The prototype is the mechanism used in JavaScript for inheriting elements from objects. The prototype of an object is nothing more than another object that also has its own prototype. And since practically everything in JavaScript below the surface is an object, this chain ultimately leads back to the uppermost Object.prototype, whose prototype is then simply the value null.

In practice, this means that JavaScript does the following in the background when a property is accessed by means of exampleObject.test or exampleObject['test'].:

  1. The JavaScript engine looks for the property test in the object exampleObject.
  2. If the property exists, it is returned. Otherwise, the prototype of the user-defined object is taken and the property is searched for there. This search is continued in the prototype chain until the property is found or until the top prototype, i.e. the null prototype, is reached and undefined is returned.

An object’s prototype can be accessed as follows:

With these basics, you should now be able to understand JavaScript Prototype Pollution.

Prototype Pollution

With prototype pollution, an attacker aims to modify Object.prototype. Since almost all elements in JavaScript inherit from Object, almost all elements can be attacked, if Object.prototype can be changed. In most cases, prototype pollution is triggered by an insecure merge function that recursively takes properties from an untrusted source. Olivier Arteau describes such a merge function in his paper Prototype pollution attack in NodeJS application as follows:

merge(target, source)
    foreach property of source
        if property exists and is an object on both the target and the source
            merge(target[property], source[property])
        else
            target[property] = source[property]

For Prototype Pollution the following is needed:

Finding Prototype Pollution with Burp DOM Invader

The DOM Invader is an extension of the Chromium browser that comes with Burp. This extension is normally deactivated, as it can have unwanted side effects. It can be activated as follows:

In the browser supplied with Burp, select the extension with the title Burp Suite:

DOM Invader extension

Select and activate DOM Invader in the window that opens:

Activating the DOM Invader extension

As soon as the extension is active, the web page that is being checked for prototype pollution can be reloaded. This will set up the DOM Invader in the background. In the Developer Tools there is now a new entry with the title DOM Invader. When this is selected, the results of the DOM Invader analysis are displayed. In the example below, two Prototype Pollution possibilities have been identified:

Initial identification of a Prototype Pollution in DOM Invader

With Scan for gadgets you can search for gadgets that turn Prototype Pollution into XSS. The scanning looks like this:

DOM Invader Scan for gadgets

And the result of a successful scan as follows:

DOM Invader Scan for gadgets result

in the simplest case you can simply select the option Exploit and an alert(1) will be executed. If no alert appears, the error message should be displayed in the console and by means of the StackTrace available there, you end up in the JavaScript at the place where the prototype pollution is going wrong. From there, you can simply analyse the payload and adjust it as expected so that the alert is executed.

Finding Prototype Pollution Manually

The manual search for JavaScript prototype pollution can be very time-consuming, especially if the JavaScript code used by the website has been minified. How to go about this has been covered better and in more depth in the articles by Portswigger and Nikita Stupin than can be done here. Reading these articles is highly recommended to deepen one’s knowledge of prototype pollution. In particular, the Portswigger article is recommended, as it also offers labs where the techniques learned can be applied directly.

Examples from the Real World

Countermeasures

There are different ways to protect against JavaScript Prototype Pollution. These each come with different advantages and disadvantages:

Summary

JavaScript Prototype Pollution is a complex attack possibility that can lead to cross-site scripting or in the worst cases even remote code execution on the server side. It is possible to find such vulnerabilities manually, but it is very time-consuming since most modern websites have a lot and most of the time minified JavaScript code. However, since Portswigger, the developers of Burp, have dealt extensively with the topic, good tooling for identifying this type of vulnerability is provided within Burp. Developers have a wide range of options with various advantages and disadvantages for hardening JavaScript code against Prototype Pollution.

About the Author

Andrea Hauser

Andrea Hauser graduated with a Bachelor of Science FHO in information technology at the University of Applied Sciences Rapperswil. She is focusing her offensive work on web application security testing and the realization of social engineering campaigns. Her research focus is creating and analyzing deepfakes. (ORCID 0000-0002-5161-8658)

Links

Are you interested in a Penetration Test?

Our experts will get in contact with you!

×
Ways of attacking Generative AI

Ways of attacking Generative AI

Andrea Hauser

XML Injection

XML Injection

Andrea Hauser

Burp Macros

Burp Macros

Andrea Hauser

WebSocket Fuzzing

WebSocket Fuzzing

Andrea Hauser

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here