Threat Research

Prototype Pollution: A Deep-Dive

Netspi

Prototype Pollution is a JavaScript vulnerability that lets an attacker modify an object’s prototype, causing all objects to inherit attacker-controlled properties and potentially leading to XSS or Remote Code Execution. The article explains how prototypes work in JavaScript, outlines common pollution patterns, shows real-world gadget chains, and describes dynamic ways to detect and exploit polluted prototypes.

Keypoints

  • Prototype Pollution lets an attacker control the __proto__ property to affect all objects and their behavior.
  • JavaScript prototypes are the inheritance mechanism; modifying __proto__ propagates changes across objects in real time.
  • Pollution sources are merging, cloning, and value setting operations, especially when building objects from user input.
  • The jQuery Deparam example (CVE-2021-20087) shows a real-world pollution path via URL parameters that can lead to vulnerabilities.
  • Gadgets and sinks (e.g., DOM XSS paths, fetch API gadgets) enable turning pollution into code execution or UI compromises.
  • Dynamic detection and gadget discovery (pollute.js, dynamic instrumentation) can help identify possible gadget chains in libraries.
  • Attackers may combine pollution with existing frameworks (like reCAPTCHA or Vue templates) to achieve DOM-based XSS or other exploits.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Prototype Pollution can enable client-side Cross-Site Scripting and server-side Remote Code Execution. “Prototype Pollution is a JavaScript vulnerability where it’s possible for an attacker to control unexpected variables in JavaScript, which on the client-side can lead to Cross-Site Scripting, and on the server-side lead to Remote Code Execution.”
  • [T1059.007] JavaScript – The attack uses JavaScript to modify prototypes and propagate polluted properties across objects. “The core of Prototype Pollution – being able to control unexpected variables in JavaScript, and then use them to change the path code takes in unexpected ways.”

Indicators of Compromise

  • [URL] context – https://example.com/?__proto__[polluted]=Polluted, https://example.com/?__proto__.polluted=Polluted
  • [Domain] context – example.com, google.com
  • [CVE] context – CVE-2021-20087

Read more: https://www.netspi.com/blog/technical-blog/web-application-pentesting/ultimate-guide-to-prototype-pollution/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint