JavaScript Conferences

Node Congress 2023

Node Congress 2023

English versionEN

Preventing JavaScript Prototype Pollution

Vladimir de Turckheim

Vladimir de Turckheim

Software engineer at Datadog

Introduction to Prototype Pollution

Prototype pollution is a critical security vulnerability in JavaScript that occurs when an arbitrary payload can overwrite properties or methods in the prototype chain of one or multiple objects. This vulnerability is particularly dangerous because it can affect the behavior of all objects that inherit from the polluted prototype, potentially leading to unexpected and harmful consequences.

JavaScript's prototype-based inheritance system allows objects to share properties and methods through prototype chains. When a property or method is not found on an object, JavaScript looks it up on the object's prototype, and continues up the chain until it finds the property or reaches the end of the chain. This mechanism can be exploited if developers do not properly sanitize input data, allowing attackers to inject malicious payloads that modify prototypes.

How Prototype Pollution Occurs

Prototype pollution often happens when using functions like merge, which recursively combine properties from multiple objects. When these functions encounter properties named "__proto__", they may inadvertently modify the prototype chain instead of just merging the data. This oversight can introduce malicious properties into the global object prototype, affecting all instances of objects across an application.

Consider an example using the Hook library. An attacker could create a malicious payload containing "__proto__" and a specific property. When this payload is merged with another object, the recursive nature of the merge function can lead to the addition of this property to the global prototype. Consequently, any new object created afterward inherits this malicious property, potentially leading to unauthorized access or data corruption.

Real-World Examples and Impact

Prototype pollution vulnerabilities have been observed in popular libraries such as lodash. These vulnerabilities allow attackers to manipulate the behavior of JavaScript applications by inserting unexpected properties into prototypes. Since 2018, numerous Common Vulnerabilities and Exposures (CVEs) have been reported, highlighting the widespread impact of this issue.

Instances of remote code execution have been documented in applications like Kibana and Parse Server. For example, a vulnerability in Kibana allowed attackers to execute arbitrary code by exploiting prototype pollution, illustrating the severe consequences of such vulnerabilities if left unpatched.

Preventing Prototype Pollution

To mitigate prototype pollution, developers should implement several strategies. One effective method is to filter out dangerous properties like "__proto__" during merge operations. This can be done by explicitly checking for and excluding these properties when handling objects.

Another approach is to use Object.create(null) to create objects without prototypes. These "defensive objects" are immune to prototype pollution because they do not have a prototype chain. Additionally, developers should rigorously validate and sanitize all incoming data to ensure it conforms to expected structures and does not contain unexpected properties.

Using Tools and Libraries

Tools such as Snyk and npm audit can help identify known vulnerabilities in third-party libraries, including those related to prototype pollution. Developers should regularly audit their dependencies and update to patched versions of libraries to minimize the risk of exploitation.

Static analysis tools like Semgrep can also be used to detect potential vulnerabilities in code. These tools analyze the codebase for suspicious patterns and can help identify areas where prototype pollution might occur, allowing developers to address the issues before they are exploited.

Understanding JavaScript Prototypes

To effectively prevent prototype pollution, it is important to understand how prototypes work in JavaScript. Prototypes are objects from which other objects inherit properties and methods. When a property is not found on an object, the JavaScript engine looks for it on the object's prototype, and this process continues up the chain until the property is found or the end of the chain is reached.

Developers can access the prototype of an object using methods like Object.getPrototypeOf or the "__proto__" property. However, modifying prototypes directly can introduce vulnerabilities, so it is crucial to handle them with care and avoid exposing them to untrusted data.

Conclusion

Prototype pollution is a significant security concern in JavaScript applications. By understanding how this vulnerability occurs and implementing preventive measures, developers can protect their applications from potential exploitation. Regular audits, input validation, and the use of defensive coding practices are essential to maintaining the security and integrity of JavaScript codebases.

By staying informed and adopting these strategies, developers can mitigate the risks associated with prototype pollution and build more secure applications.

Watch full talk with demos and examples:

From Author:

In 2018, a new attack vector against JavaScript codebases has been published: Prototype Pollution.
At first glance, it seemed pretty limited in impact: it would basically be a good way to crash some code. However, multiple cases of Remote Code Executions have happened based on this vector.
In this talk, we will clarify what are prototype pollutions, their real impact and of to prevent them from happening in your codebase.

This talk has been presented at Node Congress 2023, check out the latest edition of this JavaScript Conference.

Watch video on a separate page

FAQ

Prototype pollution in JavaScript occurs when an arbitrary payload handled by the code can overwrite properties or methods on the prototype chain of one or multiple objects. This usually happens through functions like merging, where properties on the prototype can be unintentionally modified, leading to unexpected behavior or security vulnerabilities.

Prototype pollution can lead to security vulnerabilities such as unauthorized access, remote code execution, and other unintended behaviors within an application. It manipulates the prototype of an object, which all instances of objects inherit methods and properties from, potentially allowing attackers to exploit this for malicious purposes.

To prevent prototype pollution, developers can sanitize and validate incoming data to ensure it does not contain malicious inputs, use Object.create(null) to create objects with no prototype, avoid using vulnerable versions of functions like merge or extend, and employ libraries or tools that filter out prototype properties like __proto__.

Yes, using maps instead of plain JavaScript objects can help prevent prototype pollution because maps do not have a prototype that can be polluted. Maps store keys and values in a form that doesn't interfere with the object's prototype chain.

The __proto__ property in JavaScript is used to assign the prototype of an object. In the context of prototype pollution, malicious payloads can manipulate __proto__ to overwrite properties on an object's prototype chain, leading to potential security risks.

Prototype pollution can significantly impact third-party libraries by altering their behavior if these libraries do not properly guard against modifications to their prototype. This can lead to widespread issues across applications that utilize the affected libraries, compromising application integrity and security.

Real-world consequences of prototype pollution include unauthorized data access, application crashes, and remote code execution. Historical incidents have shown that prototype pollution can lead to significant security breaches, affecting large-scale systems and leading to data loss or corruption.

Vladimir de Turckheim

Vladimir de Turckheim

27 min

14 Apr, 2023

Comments

Sign in or register to post your comment.

Video Summary and Transcription

This Talk discusses prototype production in JavaScript and focuses on the concept of prototype pollution. It explains the impact of prototype pollution and ways to avoid it. The Talk also highlights real-world examples of prototype pollution vulnerabilities in Kibana and MongoDB. It provides recommendations for preventing and mitigating prototype pollution, such as filtering out merge functions and using defensive objects. The Talk concludes with a discussion on tools like Semgrep for static analysis and the importance of sanitization and validation in preventing outside attacks.

Available in Español: Contaminación de Prototipos en JavaScript

1. Introduction

We'll talk about prototype production in JavaScript, but before that, let's address something important. The speaker discusses their current situation, being unemployed and working on building a company.

2. Understanding Prototype Pollution

Let's talk about prototype pollution. First, let's learn what prototypes are. We'll also discuss the impact of prototype pollution and avoiding it in JavaScript. JavaScript is prototype-based and somewhat typed. We have the type of operator to check variable types. Objects in JavaScript have prototypes, and when a method or property is not found on an object, it's looked up on the prototype. We'll recursively check the prototype chain until we find the method or property. If it's nowhere in the prototype chain, it's undefined.

3. Understanding Prototype Chain

The prototype chain forms a tree structure. Objects created with different methods may or may not share prototypes. Item three has a prototype, my proto, while item one and item two have the prototype of class one. The prototype of old style class is still in the chain. The method bar is not available on cl.prototype but is available on old style class.prototype.

4. Accessing Object Prototypes

To access the prototype of an object in JavaScript, there are multiple ways. We can use the Object.getPrototypeOf() method, the __proto__ property, or the constructor.prototype property. It's important to note that there is a single instance of the prototype in the heap.

5. Prototype Pollution in JavaScript

Prototype pollution occurs when an arbitrary payload can overwrite properties or methods on the prototype chain of objects. This can happen when using a merge function. A specific example is shown with the Hook library, where a malicious payload is used to modify the prototype chain. The impact of prototype pollution can be severe, with over 200 disclosed vulnerabilities since 2018, including remote code execution in Kibana and the PaaS server.

6. Prototype Pollution in Kibana and Parse Server

KTH University published an interesting paper on prototype pollution in Kibana. The Node.js child processes in Kibana share the parent process environment through a JavaScript object. The Node.option environment variable allows passing command line arguments. The dash e option enables running code passed as a string. Prototype pollution in Kibana allowed writing Node option in the prototype chain. This allowed running arbitrary code on the server and spawning child processes. Dash e is no longer allowed in Node option, but a bypass exists. Kibana has fixed the prototype pollution issue. Parse is a backend project for mobile apps that exposes an API in front of MongoDB.

7. Prototype Pollution in MongoDB

You can request object from MongoDB through a wave API. It's vulnerable to prototype pollution before it was fixed. The library used, bsonjs, allows storing functions in MongoDB. By default, functions are not unserialized. However, if the eval function option for the bson library is true, arbitrary functions can be evaluated. This can lead to running arbitrary code when retrieving objects from the database.

8. Preventing Prototype Pollution

To prevent prototype pollution, filter out merge functions and specifically remove underscore, underscore, proto, underscore, underscore. Lodash has fixed all instances of prototype pollution. When using as-owned property, ensure it exists on the object and not its prototype chain. Building defensive objects using Object.create or Object.createNull can prevent prototype pollution. Sanitization and data validation are crucial for preventing outside attacks. Consider using libraries like joy for data sanitization when building a Node.js web server. Node.js has an option to disable proto, underscore, underscore, proto, underscore, underscore, but be cautious as it may break some code.

9. Mitigating Prototype Pollution

Someone published a paper about class pollution in Python. There is no proof of actual use in the wild for malicious attacks, but it highlights the vulnerability. It's important to check where your objects come from in your codebase, especially for web applications that accept objects from the outside. Be cautious of third-party attacks from NPM modules and inputs from the network. Sanitize and validate the objects that enter your app to prevent injections and ensure they match your expectations. Use tools like Sneak Audit and NPM Audit to check for known vulnerabilities in your codebase.

Questions and Answers

Are there equivalents to Express or Fastify that prevent prototype pollution? I'm not sure, but it's worth checking the documentation. The -e argument in node options bypass allows passing a JavaScript code string instead of a file. Object.assign may not create polluted prototypes, but further research is needed. Other ways of achieving RCE with prototype pollution depend on the application's string evaluation capabilities. Consider using maps instead of objects to avoid pollution, but ensure there is no intrinsic pollution. It's unclear if merging objects with a native spread operator is safe from pollution. It's important to explore different solutions and not assume vulnerability. ES lint rules detecting these problems may require taint tracking.

Semgrep and Merging Objects

Semgrep is a powerful static analysis code that can find vulnerabilities by running part of your code in a VM. It's open source and designed to check if you're merging based on incoming objects.

Available in other languages:

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Scaling Up with Remix and Micro Frontends

Remix Conf Europe 2022

23 min

Scaling Up with Remix and Micro Frontends

Top Content

Adrien Baron

Creator of Tiny Frontend

This talk discusses the usage of Microfrontends in Remix and introduces the Tiny Frontend library. Kazoo, a used car buying platform, follows a domain-driven design approach and encountered issues with granular slicing. Tiny Frontend aims to solve the slicing problem and promotes type safety and compatibility of shared dependencies. The speaker demonstrates how Tiny Frontend works with server-side rendering and how Remix can consume and update components without redeploying the app. The talk also explores the usage of micro frontends and the future support for Webpack Module Federation in Remix.

remix javascript micro-frontends architecture

Full Stack Components

Remix Conf Europe 2022

37 min

Full Stack Components

Top Content

Kent C. Dodds

Creator of EpicWeb.dev, EpicReact.Dev, TestingJavaScript.com

RemixConf EU discussed full stack components and their benefits, such as marrying the backend and UI in the same file. The talk demonstrated the implementation of a combo box with search functionality using Remix and the Downshift library. It also highlighted the ease of creating resource routes in Remix and the importance of code organization and maintainability in full stack components. The speaker expressed gratitude towards the audience and discussed the future of Remix, including its acquisition by Shopify and the potential for collaboration with Hydrogen.

remix javascript fullstack architecture

React Summit 2023

24 min

Debugging JS

Top Content

Watch video: Debugging JS

Mark Erikson

Debugging JavaScript is a crucial skill that is often overlooked in the industry. It is important to understand the problem, reproduce the issue, and identify the root cause. Having a variety of debugging tools and techniques, such as console methods and graphical debuggers, is beneficial. Replay is a time-traveling debugger for JavaScript that allows users to record and inspect bugs. It works with Redux, plain React, and even minified code with the help of source maps.

best practices case study javascript web development debug

Making JavaScript on WebAssembly Fast

JSNation Live 2021

29 min

Making JavaScript on WebAssembly Fast

Top Content

Lin Clark

Working on WebAssembly at Fastly. Code Cartoons Author.

WebAssembly enables optimizing JavaScript performance for different environments by deploying the JavaScript engine as a portable WebAssembly module. By making JavaScript on WebAssembly fast, instances can be created for each request, reducing latency and security risks. Initialization and runtime phases can be improved with tools like Wiser and snapshotting, resulting in faster startup times. Optimizing JavaScript performance in WebAssembly can be achieved through techniques like ahead-of-time compilation and inline caching. WebAssembly usage is growing outside the web, offering benefits like isolation and portability. Build sizes and snapshotting in WebAssembly depend on the application, and more information can be found on the Mozilla Hacks website and Bike Reliance site.

javascript webassembly

Webpack in 5 Years?

JSNation 2022

26 min

Webpack in 5 Years?

Top Content

Tobias Koppers

Webpack and Turbopack Creator

In the last 10 years, Webpack has shaped the way we develop web applications by introducing code splitting, co-locating style sheets and assets with JavaScript modules, and enabling bundling for server-side processing. Webpack's flexibility and large plugin system have also contributed to innovation in the ecosystem. The initial configuration for Webpack can be overwhelming, but it is necessary due to the complexity of modern web applications. In larger scale applications, there are performance problems in Webpack due to issues with garbage collection, leveraging multiple CPUs, and architectural limitations. Fixing problems in Webpack has trade-offs, but a rewrite could optimize architecture and fix performance issues.

javascript webpack builders and founders

Towards a Standard Library for JavaScript Runtimes

Node Congress 2022

34 min

Towards a Standard Library for JavaScript Runtimes

Top Content

James Snell

Workers team @Cloudflare

There is a need for a standard library of APIs for JavaScript runtimes, as there are currently multiple ways to perform fundamental tasks like base64 encoding. JavaScript runtimes have historically lacked a standard library, causing friction and difficulty for developers. The idea of a small core has both benefits and drawbacks, with some runtimes abusing it to limit innovation. There is a misalignment between Node and web browsers in terms of functionality and API standards. The proposal is to involve browser developers in conversations about API standardization and to create a common standard library for JavaScript runtimes.

javascript component library node.js

Workshops on related topic

Master JavaScript Patterns

JSNation 2024

145 min

Master JavaScript Patterns

Top Content

Featured Workshop

Adrian Hajdin

During this workshop, participants will review the essential JavaScript patterns that every developer should know. Through hands-on exercises, real-world examples, and interactive discussions, attendees will deepen their understanding of best practices for organizing code, solving common challenges, and designing scalable architectures. By the end of the workshop, participants will gain newfound confidence in their ability to write high-quality JavaScript code that stands the test of time.
Points Covered:
1. Introduction to JavaScript Patterns2. Foundational Patterns3. Object Creation Patterns4. Behavioral Patterns5. Architectural Patterns6. Hands-On Exercises and Case Studies
How It Will Help Developers:
- Gain a deep understanding of JavaScript patterns and their applications in real-world scenarios- Learn best practices for organizing code, solving common challenges, and designing scalable architectures- Enhance problem-solving skills and code readability- Improve collaboration and communication within development teams- Accelerate career growth and opportunities for advancement in the software industry

best practices javascript patterns

Using CodeMirror to Build a JavaScript Editor with Linting and AutoComplete

React Day Berlin 2022

86 min

Using CodeMirror to Build a JavaScript Editor with Linting and AutoComplete

Top Content

Workshop

Hussien Khayoon

Kahvi Patel

2 authors

Using a library might seem easy at first glance, but how do you choose the right library? How do you upgrade an existing one? And how do you wade through the documentation to find what you want?
In this workshop, we’ll discuss all these finer points while going through a general example of building a code editor using CodeMirror in React. All while sharing some of the nuances our team learned about using this library and some problems we encountered.

javascript build tools

Testing Web Applications Using Cypress

TestJS Summit - January, 2021

173 min

Testing Web Applications Using Cypress

Top Content

Workshop

Gleb Bahmutov

This workshop will teach you the basics of writing useful end-to-end tests using Cypress Test Runner.
We will cover writing tests, covering every application feature, structuring tests, intercepting network requests, and setting up the backend data.
Anyone who knows JavaScript programming language and has NPM installed would be able to follow along.

testing javascript cypress e2e testing

React Server Components Unleashed: A Deep Dive into Next-Gen Web Development

React Day Berlin 2023

149 min

React Server Components Unleashed: A Deep Dive into Next-Gen Web Development

Workshop

Maurice de Beijer

Maurice de Beijer

Get ready to supercharge your web development skills with React Server Components! In this immersive, 3-hour workshop, we'll unlock the full potential of this revolutionary technology and explore how it's transforming the way developers build lightning-fast, efficient web applications.
Join us as we delve into the exciting world of React Server Components, which seamlessly blend server-side rendering with client-side interactivity for unparalleled performance and user experience. You'll gain hands-on experience through practical exercises, real-world examples, and expert guidance on how to harness the power of Server Components in your own projects.
Throughout the workshop, we'll cover essential topics, including:- Understanding the differences between Server and Client Components- Implementing Server Components to optimize data fetching and reduce JavaScript bundle size- Integrating Server and Client Components for a seamless user experience- Strategies for effectively passing data between components and managing state- Tips and best practices for maximizing the performance benefits of React Server Components

javascript react server components

0 to Auth in an Hour Using NodeJS SDK

Node Congress 2023

63 min

0 to Auth in an Hour Using NodeJS SDK

Workshop

Asaf Shen

Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool.
We will enhance a full-stack JS application (Node.JS backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session for subsequent client requests, validating / refreshing sessions
At the end of the workshop, we will also touch on another approach to code authentication using frontend Descope Flows (drag-and-drop workflows), while keeping only session validation in the backend. With this, we will also show how easy it is to enable biometrics and other passwordless authentication methods.
Table of contents- A quick intro to core authentication concepts- Coding- Why passwordless matters
Prerequisites- IDE for your choice- Node 18 or higher

javascript node.js authentication

JavaScript-based full-text search with Orama everywhere

Node Congress 2023

49 min

JavaScript-based full-text search with Orama everywhere

Workshop

Michele Riva

In this workshop, we will see how to adopt Orama, a powerful full-text search engine written entirely in JavaScript, to make search available wherever JavaScript runs. We will learn when, how, and why deploying it on a serverless function could be a great idea, and when it would be better to keep it directly on the browser. Forget APIs, complex configurations, etc: Orama will make it easy to integrate search on projects of any scale.

Follow us

Upcoming events

Subscribe to the top JS conferences

and grow in-depth as engineer with insights from library authors and core teams

JSNation 2025

Amsterdam, Jun 12 - 16, 2025

Want to sponsor our events?

React Summit 2025

Amsterdam, Jun 13 - 17, 2025

Productivity Conf for Devs and Tech Leaders

Mar 27 - 28, 2025

Node Congress 2025

Apr 17, 2025

JSNation US 2025

New York, Nov 17 - 20, 2025

React Summit US 2025

New York, Nov 18 - 21, 2025

React Advanced 2025

London, Nov 27 - Dec 1, 2025