Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-1321:Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Weakness ID:1321
Version:v4.17
Weakness Name:Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

▼Extended Description

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the product depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

This weakness is usually exploited by using a special attribute of objects called proto, constructor or prototype. Such attributes give access to the object prototype. This weakness is often found in code that assigns object attributes based on user input, or merges or clones objects recursively.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
CanPrecedeAllowedB471Modification of Assumed-Immutable Data (MAID)
ChildOfAllowedB915Improperly Controlled Modification of Dynamically-Determined Object Attributes
Nature: CanPrecede
Mapping: Allowed
Type: Base
ID: 471
Name: Modification of Assumed-Immutable Data (MAID)
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 915
Name: Improperly Controlled Modification of Dynamically-Determined Object Attributes
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC1415Comprehensive Categorization: Resource Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1415
Name: Comprehensive Categorization: Resource Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-248Weaknesses in Software Written in JavaScript
MemberOfProhibitedBSBOSS-279Input Validation Strategy
MemberOfProhibitedBSBOSS-318Modify Application Data (impact)
MemberOfProhibitedBSBOSS-324DoS: Crash, Exit, or Restart (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-248
Name: Weaknesses in Software Written in JavaScript
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-279
Name: Input Validation Strategy
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-318
Name: Modify Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-324
Name: DoS: Crash, Exit, or Restart (impact)
▼Relevant To View
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
IntegrityHighModify Application Data

An attacker can inject attributes that are used in other components.

AvailabilityHighDoS: Crash, Exit, or Restart

An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.

Scope: Integrity
Likelihood: High
Impact: Modify Application Data
Note:

An attacker can inject attributes that are used in other components.

Scope: Availability
Likelihood: High
Impact: DoS: Crash, Exit, or Restart
Note:

An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.

▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness: High
Description:

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Note:

While this can mitigate this weakness completely, other methods are recommended when possible, especially in components used by upstream software ("libraries").

Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness: High
Description:

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Note:

Phase:Implementation
Mitigation ID:
Strategy: Input Validation
Effectiveness: Limited
Description:

When handling untrusted objects, validating using a schema can be used.

Note:

Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness: High
Description:

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Note:

Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness: Moderate
Description:

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

Note:

▼Modes Of Introduction
Phase: Architecture and Design
Note:

N/A

Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: JavaScript(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

This function sets object attributes based on a dot-separated path.

Language: ( code)
N/A

Language: JavaScript(Bad code)
function setValueByPath (object, path, value) { const pathArray = path.split("."); const attributeToSet = pathArray.pop(); let objectToModify = object; for (const attr of pathArray) { if (typeof objectToModify[attr] !== 'object') { objectToModify[attr] = {}; } objectToModify = objectToModify[attr]; } objectToModify[attributeToSet] = value; return object; }

Language: ( code)
N/A

This function does not check if the attribute resolves to the object prototype. These codes can be used to add "isAdmin: true" to the object prototype.

Language: JavaScript(Bad code)
setValueByPath({}, "__proto__.isAdmin", true) setValueByPath({}, "constructor.prototype.isAdmin", true)

Language: ( code)
N/A

By using a denylist of dangerous attributes, this weakness can be eliminated.

Language: JavaScript(Good code)
function setValueByPath (object, path, value) { const pathArray = path.split("."); const attributeToSet = pathArray.pop(); let objectToModify = object; for (const attr of pathArray) { // Ignore attributes which resolve to object prototype* if (attr === "__proto__" || attr === "constructor" || attr === "prototype") { continue; } if (typeof objectToModify[attr] !== "object") { objectToModify[attr] = {}; } objectToModify = objectToModify[attr]; } objectToModify[attributeToSet] = value; return object; }

▼Observed Examples
ReferenceDescription
CVE-2018-3721
Prototype pollution by merging objects.
CVE-2019-10744
Prototype pollution by setting default values to object attributes recursively.
CVE-2019-11358
Prototype pollution by merging objects recursively.
CVE-2020-8203
Prototype pollution by setting object attributes based on dot-separated path.
Reference: CVE-2018-3721
Description:
Prototype pollution by merging objects.
Reference: CVE-2019-10744
Description:
Prototype pollution by setting default values to object attributes recursively.
Reference: CVE-2019-11358
Description:
Prototype pollution by merging objects recursively.
Reference: CVE-2020-8203
Description:
Prototype pollution by setting object attributes based on dot-separated path.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      ▼Related Attack Patterns
      IDName
      CAPEC-1
      Accessing Functionality Not Properly Constrained by ACLs
      CAPEC-180
      Exploiting Incorrectly Configured Access Control Security Levels
      CAPEC-77
      Manipulating User-Controlled Variables
      ID: CAPEC-1
      Name: Accessing Functionality Not Properly Constrained by ACLs
      ID: CAPEC-180
      Name: Exploiting Incorrectly Configured Access Control Security Levels
      ID: CAPEC-77
      Name: Manipulating User-Controlled Variables
      ▼References
      Reference ID: REF-1148
      Title: Prototype pollution attack in NodeJS application
      Author: Olivier Arteau
      Section:
      Publication:
      Publisher:
      Edition:
      URL:https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
      URL Date:
      Day:15
      Month:05
      Year:2018
      Reference ID: REF-1149
      Title: What is Prototype Pollution?
      Author: Changhui Xu
      Section:
      Publication:
      Publisher:
      Edition:
      URL:https://codeburst.io/what-is-prototype-pollution-49482fc4b638
      URL Date:
      Day:30
      Month:07
      Year:2019
      Details not found