Client-Side Prototype Pollution

high Web Application Scanning Plugin ID 112719
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

Client-Side Prototype Pollution

Description

Prototype-based programming languages rely on the process of defining objects used as prototypes to be then extended or cloned in order to create new objects. Once instantiated, these objects will inherit from the properties and methods of their prototype.

JavaScript is one of the most common prototype-based language in modern web applications, on both server-side and client-side components. Nearly all the JavaScript objects are instances of Object, making them inherit from the properties and methods of the Object prototype.

A client-side prototype pollution vulnerability exists when an attacker is able to modify the properties of the Object prototype in the context of the web browser, exposing the application users to further issues like Cross-Site Scripting or Denial of Service attacks.

Solution

The inputs should be properly sanitized to prevent the Object prototype from being modified when trying to leverage on the properties like prototype or constructor during some operations (like merging or cloning objects). JavaScript objects can also be explicitly instantiated without a prototype by using the Object.create(null) constructor. Finally, prefer using a Map object as a key and value storage as it will not contain the Objects prototype keys, thus preventing the pollution to occur.

See Also

https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/

https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications

https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/

Plugin Details

Severity: High

ID: 112719

Type: remote

Published: 5/6/2021

Updated: 7/7/2021

Scan Template: scan, pci

Risk Information

CVSS Score Source: CVE-2021-20083

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference Information

CVE: CVE-2021-20083, CVE-2021-20084, CVE-2021-20085, CVE-2021-20086, CVE-2021-20087, CVE-2021-20088, CVE-2021-20089

CWE: 1321

OWASP API: 2019-API7