theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page
  1. Web Application Testing

Prototype Pollution

What is it?

Prototype Pollution is a vulnerability that occurs when an attacker manipulates the prototype of a JavaScript object. It exploits the dynamic nature of JavaScript, allowing an attacker to modify an object's structure and behavior.

This vulnerability is unique to JavaScript environments due to the language's flexible object model, where prototypes are shared between all objects of the same type. Consequently, a change to the prototype is reflected across all instances, potentially affecting the application's behavior globally.

There are mainly two types of Prototype Pollution:

  1. Global Prototype Pollution: This involves manipulating JavaScript's built-in object prototypes, such as Object.prototype, Array.prototype, etc. It can lead to various forms of attacks, such as adding, modifying, or deleting properties and methods, affecting the entire application.

  2. Local Prototype Pollution: This is more specific and involves manipulating the prototype of specific objects in the application. The impact is usually confined to the scope of those specific objects.

It's important to note that due to its nature, Prototype Pollution can lead to other kinds of attacks like:

  • Privilege escalation: By altering properties that control user privileges.

  • Remote Code Execution: By changing methods or properties related to function execution.

  • Denial of Service: By overloading methods or properties causing resource exhaustion.

  • Bypassing security measures: By altering validation or security checks.

For more details on Prototype Pollution see the relevant resources and child pages.

PreviousTemplate InjectionNextClient-side Prototype Pollution

Last updated 11 months ago