Prototype pollutionΒΆ
Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global prototypes, which may then be inherited by user-defined objects.
Prototype pollution remains a stealthy but dangerous threat, affecting JavaScript-heavy applications (based on bug bounty reports and pentests). It is less frequent than XSS or SQLi, but high-impact when exploited, especially in modern JS frameworks (React, Angular, Vue), APIs/cloud functions (Node.js, serverless backends), and libraries/tools (e.g., lodash, jQuery, and custom utilities).
It is still relevant due to merging user input into objects without sanitization is still common, the possibility for silent exploitation (RCE in Node.js if polluted properties reach child_process or eval(), DOM XSS Escalation polluting Object.prototype, or Arbitrary Property Injection overwriting sensitive attributes (e.g., isAdmin: true)), and many SAST tools missing prototype pollution unless explicitly configured.
It is worth testing for when the app uses dynamic object manipulation (e.g., Object.assign, merge, lodash.defaultsDeep), you see user input passed to JSON.parse() or object utilities, and/or the app relies on client-side JS frameworks (e.g., admin dashboards, SPAs).
Prioritize testing in JavaScript-heavy apps (SPAs, Node.js backends) and apps using `lodash`, `jQuery.extend`, or custom merges:
- DOM XSS via client-side prototype pollution
- DOM XSS via an alternative prototype pollution vector
- Client-side prototype pollution via flawed sanitisation
- Client-side prototype pollution in third-party libraries
- Client-side prototype pollution via browser APIs
- Privilege escalation via server-side prototype pollution
- Detecting server-side prototype pollution without polluted property reflection
- Bypassing flawed input filters for server-side prototype pollution
- Remote code execution via server-side prototype pollution
- Exfiltrating sensitive data via server-side prototype pollution