**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
JavaScript was originally developed with the intention of being executed by the client-side in a web browser, has evolved significantly. The advent of server-side runtime environments, with Node.js being a prime example, has expanded JavaScript’s reach into server-side development. This shift has enabled developers to create servers, APIs, and various back-end applications using JavaScript.
As a consequence of this expansion to server-side contexts, the potential for prototype pollution vulnerabilities has also migrated from purely client-side scenarios to server-side environments. While the core concepts of prototype pollution remain similar, the process of detecting and exploiting these vulnerabilities in server-side settings introduces new complexities and challenges.
Walkthrough of Server-Side Prototype Pollution
This lab utilizes Node.js and the Express framework and is susceptible to server-side prototype pollution due to the unsafe merging of user-controllable input into a server-side JavaScript object. This vulnerability is easily detectable as any polluted properties inherited through the prototype chain are visible in an HTTP response.
To complete the lab:
- Identify a source of prototype pollution that allows you to add arbitrary properties to the global Object.prototype.
- Locate a device attribute that can be utilized to increase your level of access.
- Find the “Carlos” user in the admin panel and remove them.
You can use the following credentials to log into your account: Peter: Wiener.
- Capture the Address Change Request and study it
- Log in to your account and navigate to the account page. Submit the form to update your billing and delivery address.
- Locate the POST /my-account/change-address request in the HTTP history tab. Observe that the form data is sent to the server as JSON. Analyze the Response.
Observe that in response, the server displays a JSON object that represents your user and has been updated with the new address details.
- Send this request to Burp Repeater.
- Identify a Prototype Pollution Source:
Create a new property called __proto__ in Burp Repeater, which will hold an object with an arbitrary property:
“__proto__”: {
“foo”: “bar”
}
Send the request.
Notice that the response object now includes the arbitrary property you injected, but no __proto__ property. This indicates successful prototype pollution, with your property inherited via the prototype chain.
- Identify and Exploit the Gadget:
- Consider the additional attributes in the response body. The isAdmin attribute is presently set to false.
- Change the request by adding your own isAdmin property to the prototype:
“__proto__”: {
“isAdmin”: true
}
Send the request.
Observe that the response’s isAdmin value has been modified, suggesting the object has inherited this property from the polluted prototype.
- Access the Admin Panel
- Verify that there is a link to the admin panel now that you have refreshed the website in your browser.
Now, simply click on the admin panel and remove the user “Carlos.”
Prevention
- Input Sanitization: Validate and cleanse incoming data
- JSON Parsing: Use safe parsing methods
- Property Access Control: Implement strict object property checks
- Dependency Management: Keep libraries updated
- Code Analysis: Employ static analysis tools
Conclusion:
Vigilant server-side practices are crucial for thwarting prototype pollution. By implementing robust validation, secure parsing, and proactive code review, developers can significantly reduce vulnerability risks.
