NodeJS - __proto__ & prototype Pollution
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Objects in JavaScript are essentially collections of key-value pairs, known as properties. An object can be created using Object.create with null as an argument to produce an empty object. This method allows the creation of an object without any inherited properties.
An empty object is akin to an empty dictionary, represented as {}.
In JavaScript, classes and functions are closely linked, with functions often serving as constructors for classes. Despite JavaScript's lack of native class support, constructors can emulate class behavior.
JavaScript allows the modification, addition, or deletion of prototype attributes at runtime. This flexibility enables the dynamic extension of class functionalities.
Functions like toString and valueOf can be altered to change their behavior, demonstrating the adaptable nature of JavaScript's prototype system.
In prototype-based programming, properties/methods are inherited by objects from classes. These classes are created by adding properties/methods either to an instance of another class or to an empty object.
It should be noted that when a property is added to an object serving as the prototype for other objects (such as myPersonObj), the inheriting objects gain access to this new property. However, this property is not automatically displayed unless it is explicitly invoked.
JavaScript objects are defined by key-value pairs and inherit from the JavaScript Object prototype. This means altering the Object prototype can influence all objects in the environment.
Let's use a different example to illustrate:
Access to the Object prototype is possible through:
By adding properties to the Object prototype, every JavaScript object will inherit these new properties:
For a scenario where __proto__ usage is restricted, modifying a function's prototype is an alternative:
This affects only objects created from the Vehicle constructor, giving them the beep, hasWheels, honk, and isElectric properties.
Two methods to globally affect JavaScript objects through prototype pollution include:
Polluting the Object.prototype directly:
Polluting the prototype of a constructor for a commonly used structure:
After these operations, every JavaScript object can execute goodbye and greet methods.
In an scenario where you can pollute an specific object and you need to get to Object.prototype you can search for it with something like the following code:
Note that as you can pollute attributes of objects in JS, if you have access to pollute an array you can also pollute values of the array accessible by indexes (note that you cannot overwrite values, so you need to pollute indexes that are somehow used but not written).
A prototype pollution occurs due to a flaw in the application that allows overwriting properties on Object.prototype. This means that since most objects derive their properties from Object.prototype
The easies example is to add a value to an undefiner attribute of an object that is going to be checked, like:
If the attribute admin is undefined it's possible to abuse a PP and set it to True with something like:
The mechanism behind this involves manipulating properties such that if an attacker has control over certain inputs, they can modify the prototype of all objects in the application. This manipulation typically involves setting the __proto__ property, which, in JavaScript, is synonymous with directly modifying an object's prototype.
Performing a recursive merge.
Defining properties based on a path.
Cloning objects.
Other payloads:
This vulnerability, identified as CVE-2019–11358, illustrates how a deep copy can inadvertently modify the prototype, leading to potential security risks, such as unauthorized admin access if properties like isAdmin are checked without proper existence verification.
NodeJS extensively utilizes Abstract Syntax Trees (AST) in JavaScript for functionalities like template engines and TypeScript. This section explores the vulnerabilities related to prototype pollution in template engines, specifically Handlebars and Pug.
The Handlebars template engine is susceptible to a prototype pollution attack. This vulnerability arises from specific functions within the javascript-compiler.js file. The appendContent function, for instance, concatenates pendingContent if it's present, while the pushSource function resets pendingContent to undefined after adding the source.
Exploitation Process
The exploitation leverages the AST (Abstract Syntax Tree) produced by Handlebars, following these steps:
Manipulation of the Parser: Initially, the parser, via the NumberLiteral node, enforces that values are numeric. Prototype pollution can circumvent this, enabling the insertion of non-numeric strings.
Handling by the Compiler: The compiler can process an AST Object or a string template. If input.type equals Program, the input is treated as pre-parsed, which can be exploited.
Injection of Code: Through manipulation of Object.prototype, one can inject arbitrary code into the template function, which may lead to remote code execution.
An example demonstrating the exploitation of the Handlebars vulnerability:
This code showcases how an attacker could inject arbitrary code into a Handlebars template.
Example of prototype pollution exploit in Python:
Example of prototype pollution in Pug:
To reduce the risk of prototype pollution, the strategies listed below can be employed:
Object Immutability: The Object.prototype can be made immutable by applying Object.freeze.
Input Validation: JSON inputs should be rigorously validated against the application's schema.
Safe Merge Functions: The unsafe use of recursive merge functions should be avoided.
Prototype-less Objects: Objects without prototype properties can be created using Object.create(null).
Use of Map: Instead of Object, Map should be used for storing key-value pairs.
Library Updates: Security patches can be incorporated by regularly updating libraries.
Linter and Static Analysis Tools: Use tools like ESLint with appropriate plugins to detect and prevent prototype pollution vulnerabilities.
Code Reviews: Implement thorough code reviews to identify and remediate potential risks related to prototype pollution.
Security Training: Educate developers about the risks of prototype pollution and best practices for writing secure code.
Using Libraries with Caution: Be cautious while using third-party libraries. Assess their security posture and review their code, especially those manipulating objects.
Runtime Protection: Employ runtime protection mechanisms such as using security-focused npm packages which can detect and prevent prototype pollution attacks.
When generating a HTML element via JS it's possible to overwrite the innerHTML attribute to make it write arbitrary HTML code. .
The conditions under which this attack can be successfully executed, as outlined in a specific , include:
In jQuery, the $ .extend function can lead to prototype pollution if the deep copy feature is utilized improperly. This function is commonly used for cloning objects or merging properties from a default object. However, when misconfigured, properties intended for a new object can be assigned to the prototype instead. For instance:
encountered similar prototype pollution vulnerabilities (CVE-2018–3721, CVE-2019–10744). These issues were addressed in version 4.17.11.
: Burp Suite extension designed to detect and analyze server-side prototype pollution vulnerabilities in web applications. This tool automates the process of scanning requests to identify potential prototype pollution issues. It exploits known gadgets - methods of leveraging prototype pollution to execute harmful actions - particularly focusing on Node.js libraries.
: This extension identifies server side prototype pollution vulnerabilities. It uses techniques described in the .
External Reference: An issue related to prototype pollution was found in the 'flat' library, as detailed here: .
External Reference:
Pug, another template engine, faces a similar risk of prototype pollution. Detailed information is available in the discussion on .
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.
