Prototype pollution is a vulnerability that occurs when an attacker manipulates the prototype of an object to introduce malicious properties or methods. This can lead to unintended behaviour or security breaches in the application.
Privilege Escalation: As shown above, if an application checks if (user.isAdmin), an attacker can make themselves an admin globally.
Denial of Service (DoS): An attacker can overwrite built-in methods like toString or valueOf with a value that isn't a function, causing the entire application to crash the next time that method is called.
Remote Code Execution (RCE): If the polluted property is used as a configuration for a system command (like a file path or a template engine setting), the attacker can execute arbitrary code on the server.
Bypassing Input Validation: Attackers can inject properties that bypass security filters or sanitizers that rely on checking object properties.
Use Object.create(null): If you are creating an object to store data (like a map or a cache), create it without a prototype. This makes it immune to pollution.
Validate Keys: Always check if the key being processed is proto, constructor, or prototype and block it.
Freeze the Prototype: In your main entry file, you can freeze the base prototype to prevent any changes at runtime.
Use Map instead of Object: For collections of dynamic keys, use the Map data structure. It does not use the prototype chain for its entries, making it safe from this specific attack.