Prototype pollution

{{Short description|Class of web security vulnerabilities}}

Prototype pollution is a class of vulnerabilities in JavaScript runtimes that allows attackers to overwrite arbitrary properties in an object's prototype.{{Cite book |last1=Li |first1=Song |last2=Kang |first2=Mingqing |last3=Hou |first3=Jianwei |last4=Cao |first4=Yinzhi |chapter=Detecting Node.js prototype pollution vulnerabilities via object lookup analysis |date=2021-08-18 |title=Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering |series=ESEC/FSE 2021 |location=New York, NY, USA |publisher=Association for Computing Machinery |pages=268–279 |doi=10.1145/3468264.3468542 |isbn=978-1-4503-8562-6|doi-access=free }}{{Cite journal |last1=Kang |first1=Zifeng |last2=Li |first2=Song |last3=Cao |first3=Yinzhi |date=2022 |title=Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites |journal=Proceedings 2022 Network and Distributed System Security Symposium |location=Reston, VA |publisher=Internet Society |doi=10.14722/ndss.2022.24308|isbn=978-1-891562-74-7 |doi-access=free }}{{Cite journal |last1=Shcherbakov |first1=Mikhail |last2=Balliu |first2=Musard |last3=Staicu |first3=Cristian-Alexandru |date=2023 |title=Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js |url=https://www.usenix.org/conference/usenixsecurity23/presentation/shcherbakov |journal=SEC '23: Proceedings of the 32nd USENIX Conference on Security Symposium |language=en |pages=5521–5538 |arxiv=2207.11171 |isbn=978-1-939133-37-3}}{{Cite journal |last=Cornelissen |first=Eric |last2=Shcherbakov |first2=Mikhail |last3=Balliu |first3=Musard |date=2024 |title={GHunter}: Universal Prototype Pollution Gadgets in {JavaScript} Runtimes |url=https://www.usenix.org/conference/usenixsecurity24/presentation/cornelissen |journal=USENIX Security |language=en |pages=3693–3710 |isbn=978-1-939133-44-1}}{{Cite journal |last=Hakim |first=Ismail Abdurrahman |last2=Widyawan |last3=Mustika |first3=I Wayan |last4=Prasetyo |first4=Eko |date=2023-12-01 |title=A Multivocal Literature Review on Prototype Pollution Vulnerability |url=https://ieeexplore.ieee.org/document/10442205/ |journal=2023 International Conference on Information Technology and Computing (ICITCOM) |publisher=IEEE |pages=375–379 |doi=10.1109/ICITCOM60176.2023.10442205 |isbn=979-8-3503-5963-3|url-access=subscription }}{{Cite journal |last=Kim |first=Hee Yeon |last2=Kim |first2=Ji Hoon |last3=Oh |first3=Ho Kyun |last4=Lee |first4=Beom Jin |last5=Mun |first5=Si Woo |last6=Shin |first6=Jeong Hoon |last7=Kim |first7=Kyounggon |date=2022-02-01 |title=DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules |url=https://doi.org/10.1007/s10207-020-00537-0 |journal=International Journal of Information Security |language=en |volume=21 |issue=1 |pages=1–23 |doi=10.1007/s10207-020-00537-0 |issn=1615-5270|url-access=subscription }} In a prototype pollution attack, attackers inject properties into existing JavaScript construct prototypes, trying to compromise the application.