Prototype pollution is a JavaScript-specific vulnerability where an attacker modifies the prototype of base objects (Object.prototype), affecting every object in the application. Through deep merge operations, URL parameter parsing, or JSON processing, an attacker can inject properties that: bypass access controls (isAdmin becoming true for all objects), cause denial of service, achieve cross-site scripting through polluted template variables, or in Node.js environments, potentially achieve remote code execution. Testing involves identifying merge and assign operations that process user input without prototype sanitisation.
Technical
Prototype Pollution in JavaScript: Understanding and Testing This Unique Vulnerability Class cho Doanh nghiệp Việt Nam
Prototype pollution allows attackers to modify JavaScript object prototypes, potentially affecting all objects in the application. Guidance for VN market.