Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prototype Pollution #79

Open
strophy opened this issue Dec 6, 2022 · 0 comments
Open

Prototype Pollution #79

strophy opened this issue Dec 6, 2022 · 0 comments

Comments

@strophy
Copy link
Collaborator

strophy commented Dec 6, 2022

Summary:
Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

Title - Prototype pollution attack[CVE-2019-10768]

Vulnerable URL:-https://explorer.dash.org/insight/

Steps To Reproduce:
1.Create/signup your account and check angularjs
2.Open console and put this payload
angular.merge({}, JSON.parse('{"proto": {"xxx": "polluted"}}'));
console.log(({}).xxx);

References:-
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-534884
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10768

Impact:-
Then it will let the attacker get access to sensitive information by polluting the scope with the isAdmin property. If the attacker changes some existing attribute to an unexpected return type (say toString attribute to return type integer) it will cause your application to crash (Denial of Service) or if you are using your server for code execution like node.js exec or eval then it might even lead to Remote code execution(RCE)

Fix:
Freeze the prototype— use Object.freeze (Object.prototype).

Require schema validation of JSON input.

Avoid using unsafe recursive merge functions.

Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

As a best practice use Map instead of Object.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant