What is Prototype Pollution?

Prototype Pollution, as the name suggests, is about polluting the prototype of a base object which can sometimes lead to arbitrary code execution. According to Olivier Arteau’s reseach and his talk on NorthSec 2018, prototype pollution happens at some unsafe merge, clone, extend and path assignment operations on malicious JSON objects. Recently, a high severity prototype pollution security vulnerability (CVE-2019–10744) was discovered in lodash (versions less than 4.17.12). You can read more details from a Synk Security Research Team’s blog, which describes the lodash security vulnerability and fixes.

In this article, we will try to get a basic understanding of Prototype Pollution.

The attack

JavaScript is often described as a prototype-based language. The __proto__ property of Object.prototype exposes the internal [[Prototype]] (either an object or null) of the object through which it is accessed. The use of __proto__ is controversial, but modern browsers support it anyway.

A common undesired practice is overwriting the prototype of a default JavaScript object. If we modify the prototype of an object in one place, then the behavior of all objects might be affected throughout the entire application. For example, in the code snippet below, the toString() method of an object is hijacked and then all objects get polluted.

It is more common to have a function that iterates object properties that is unaware of prototype. For example, a merge function for combining two objects properties (see below). This is an attack in the Nullcon HackIM challenge described in many places, for example in this blog post.

By passing a malicious JSON feedback (line 21) to NodeJS backend, the authorization logic is tricked and thinks the hacker is an admin. If another logic depends on the “admin” property, then the attack would lead to Remote Code Execution (RCE).

The fix