Summary:
Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.
Title - Prototype pollution attack[CVE-2019-10768]
Vulnerable URL:-https://explorer.dash.org/insight/
Steps To Reproduce:
1.Create/signup your account and check angularjs
2.Open console and put this payload
angular.merge({}, JSON.parse('{"proto": {"xxx": "polluted"}}'));
console.log(({}).xxx);
References:-
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-534884
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10768
Impact:-
Then it will let the attacker get access to sensitive information by polluting the scope with the isAdmin property. If the attacker changes some existing attribute to an unexpected return type (say toString attribute to return type integer) it will cause your application to crash (Denial of Service) or if you are using your server for code execution like node.js exec or eval then it might even lead to Remote code execution(RCE)
Fix:
Freeze the prototype— use Object.freeze (Object.prototype).
Require schema validation of JSON input.
Avoid using unsafe recursive merge functions.
Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
As a best practice use Map instead of Object.
Summary:
Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.
Title - Prototype pollution attack[CVE-2019-10768]
Vulnerable URL:-https://explorer.dash.org/insight/
Steps To Reproduce:
1.Create/signup your account and check angularjs
2.Open console and put this payload
angular.merge({}, JSON.parse('{"proto": {"xxx": "polluted"}}'));
console.log(({}).xxx);
References:-
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-534884
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10768
Impact:-
Then it will let the attacker get access to sensitive information by polluting the scope with the isAdmin property. If the attacker changes some existing attribute to an unexpected return type (say toString attribute to return type integer) it will cause your application to crash (Denial of Service) or if you are using your server for code execution like node.js exec or eval then it might even lead to Remote code execution(RCE)
Fix:
Freeze the prototype— use Object.freeze (Object.prototype).
Require schema validation of JSON input.
Avoid using unsafe recursive merge functions.
Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
As a best practice use Map instead of Object.