Prototype Pollution

• a = new A()
  • a. __proto__ === A.prototype
• undefined may be replaced when its prototype has the attribute.
• Trigger
  • Set
    • lodash (_.setWidth, _.set)
  • Merge / Extend
    • CVE-2019-11358 (jQuery $.extend)
  • Clone

• Prototype Chain

  When finding a property, JavaScript will go through the Prototype Chain until __proto__ is null.

  > a = []
  > b = []
  > a["__proto__"]["test"] = "testtest" // a["__proto__"] is array
  > b.test
  < "testtest"
  

• Case Study

  • MITRE
  • HackerOne XSS
  • CVE-2019-7609
  • Client-Side Prototype Pollution
  • Exploiting Client-Side Prototype Pollution in the wild