What is Prototype Pollution
Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
More details and a better explanation can be found here:
- https://codeburst.io/what-is-prototype-pollution-49482fc4b638
- https://snyk.io/vuln/SNYK-JS-LODASH-450202
- https://snyk.io/vuln/SNYK-JS-ASSIGNDEEP-450211
Technical Details
A Protptype pollution exists in ExpressCart that can lead to denial of service of any expresscart application. The vulnerability exists here: https://github.com/snoopysecurity/expressCart/blob/master/routes/index.js#L803. Product ID is coming from user input (https://github.com/snoopysecurity/expressCart/blob/master/routes/index.js#L756) when a cart is updated and this then assigned as a field in line 803 in index.js.
In the below screenshots, cartId is updated with __proto__
when updating the quality of a product as a user. This will modify the pototype of request session cart resulting in the field quantity being assigned to another object, and will eventually crash the application as seen in the screenshot below
__proto__
is added as a parameter value in cartId:
This then becomes part of req.session.cart[productCartId]
e.g. req.session.cart[__proto__]
(the code that is highlighted here - https://github.com/snoopysecurity/expressCart/blob/master/routes/index.js#L803)
1
2
3
4
5
6
let cartQuantity = 0;
if(req.session.cart[productCartId]){
cartQuantity = parseInt(req.session.cart[productCartId].quantity) + productQuantity;
req.session.cart[productCartId].quantity = cartQuantity;
req.session.cart[productCartId].totalItemPrice = productPrice * parseInt(req.session.cart[productCartId].quantity);
}else{
This then traverses the prototype chain and adds quantity
, totalItemPrice
to all objects in the prototype chain. This then crashes the application because qualitity is added as a field to a mongodb connection call which creates a mongodb error which then crashes the application.
This can be used to crash any ExpressCart application. The authors of ExpressCart were contacted to fix this issue but it looks like this project is not maintained anymore.