Client-Side Prototype Pollution

high Web App Scanning Plugin ID 112719

Language:

Synopsis

Description

Prototype-based programming languages rely on the process of defining objects used as prototypes to be then extended or cloned in order to create new objects. Once instantiated, these objects will inherit from the properties and methods of their prototype.

JavaScript is one of the most common prototype-based language in modern web applications, on both server-side and client-side components. Nearly all the JavaScript objects are instances of Object, making them inherit from the properties and methods of the Object prototype.

A client-side prototype pollution vulnerability exists when an attacker is able to modify the properties of the Object prototype in the context of the web browser, exposing the application users to further issues like Cross-Site Scripting or Denial of Service attacks.

Solution

The inputs should be properly sanitized to prevent the Object prototype from being modified when trying to leverage on the properties like prototype or constructor during some operations (like merging or cloning objects). JavaScript objects can also be explicitly instantiated without a prototype by using the Object.create(null) constructor. Finally, prefer using a Map object as a key and value storage as it will not contain the Objects prototype keys, thus preventing the pollution to occur.