Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

guest · Aug 27, 2020

Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications
A new class of security flaw is emerging from obscurity
August 26, 2020
https://portswigger.net/daily-swig/...lnerability-impacting-javascript-applications

In early 2019, security researchers at Snyk disclosed details of a severe vulnerability in Lodash, a popular JavaScript library, which allowed hackers to attack multiple web applications.

The security hole was a prototype pollution bug – a type of vulnerability that allows attackers to exploit the rules of the JavaScript programming language and compromise applications in various ways.
Click to expand...

What is prototype pollution?
JavaScript is prototype-based: when new objects are created, they carry over the properties and methods of the prototype “object”, which contains basic functionalities such as toString, constructor and hasOwnProperty.
Object-based inheritance gives JavaScript the flexibility and efficiency that web programmers have come to love – but it also makes it vulnerable to tampering.

Malicious actors can make application-wide changes to all objects by modifying object, hence the name prototype pollution.
Click to expand...

What is the impact of prototype pollution?
“The impact of prototype pollution depends on the application,” security researcher Michał Bentkowski tells The Daily Swig.

“In a nutshell, every time a JavaScript code accesses a property that doesn’t exist on an object (which includes checking the existence of the property), we can change the outcome of the check with prototype pollution.”
But other vulnerabilities are likely to surface. “Client-side exploitation of prototype pollution is not currently well covered,” says Bentkowski, who is currently working on a detailed account of how exploits in this category can bypass popular HTML sanitizers such as html-sanitize and DOMPurify.

On the server side, the impact of prototype pollution is better known.
Click to expand...

An underrated bug
All the researchers The Daily Swig spoke to voiced a common concern: that prototype pollution is not getting enough attention.

“I felt infinite potential in this type of vulnerability. But compared to the possibilities, I don’t think enough research has been done,” says Posix, who has been focusing on prototype pollution attacks since last year.
“The community needs to learn and practice this type of vulnerability in more depth and with more attention, since it is still obscure and dangerous,” Aldoub says.
Click to expand...

guest · Sep 29, 2020

Prototype pollution vulnerability left bug bounty platform HackerOne open to attack
Bug discovered in third-party video marketing platform
September 29, 2020
https://portswigger.net/daily-swig/...-bug-bounty-platform-hackerone-open-to-attack

A JavaScript library used by HackerOne contained a prototype pollution vulnerability that could have allowed hackers to stage phishing attacks on unsuspecting users.

First reported on the HackerOne bug bounty platform by security researcher William Bowling, the new prototype pollution vulnerability was found in one of the JavaScript files used to host content from Wistia, a video hosting and marketing platform.
He found the bug while looking for cross-site scripting (XSS) vulnerabilities on the HackerOne.com domain. The company’s main bug bounty platform is separately managed.

“I started searching for anywhere that user-controlled data was being used, but since it’s just their marketing site it didn’t leave too many options,” Bowling told The Daily Swig.
Click to expand...

Third-party bounty
“While the vulnerability was not exploited, it could’ve enabled an attacker to craft special URLs that could make it seem like content was injected on the site,” Jobert Abma, co-founder of HackerOne, told The Daily Swig.

Prototype pollution bugs are mostly limited to special uses of JavaScript, but they are dangerous, underrated, and often overlooked.
Click to expand...

Log in or Sign up

Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

guest Guest

guest Guest

Log in or Sign up

Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

guest Guest

guest Guest

Useful Searches