Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype.
The vulnerability happens when parameters are injected and relied on by means of the susceptible website (web app), leading to unexpected behavior
Some examples of Prototype Pollution:
Denial of service (DoS)
DoS takes place when Object holds prevalent features that are implicitly referred to as for a variety of operations. The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is in all likelihood to reason a DoS.
For example: if an attacker pollutes Object.prototype.toString via defining it as an integer, if the codebase at any factor was once reliant on someobject.toString() it would fail.
Remote Code Execution
Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
For example: eval(someobject.someattr). Here, if the attacker pollutes Object.prototype.attribute, they are likely to be able to leverage this in order to execute code.
Property Injection
If a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
Description:
All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.
nis-util Package:
Note:
Proof of Concept
const nisUtils = require(‘nis-utils’);
nisUtils.object.setValue({}, ‘__proto__.polluted’, true);
console.log(polluted);