# Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. **Stack:** JavaScript - Prevalence: मध्यम 1 भाषाएँ कवर की गईं - Impact: उच्च 1 उच्च गंभीरता वाले नियम - Prevention: प्रलेखित 2 फिक्स उदाहरण **OWASP:** Injection (A03:2021-Injection) - #3 ## Description By modifying the prototype of base objects like Object.prototype, attackers can affect all objects that inherit from these prototypes, potentially leading to code execution or denial of service. ## Prevention 2 Shoulder डिटेक्शन नियमों पर आधारित Prototype Pollution के लिए रोकथाम रणनीतियाँ। ### JavaScript Filter dangerous keys (__proto__, constructor, prototype) or use schema validation before merging user input Use Object.hasOwn() to verify authorization properties are own properties, not inherited from a polluted prototype ## Warning Signs - [HIGH] user input flowing to object merge operations without filtering dangerous keys - [MEDIUM] authorization checks that trust properties without verifying they are own properties ## Consequences - अनधिकृत कोड निष्पादित करना - एप्लिकेशन डेटा संशोधित करना - DoS ## Mitigations - lookup ऑब्जेक्ट्स के लिए Object.create(null) का उपयोग करें - ऑब्जेक्ट असाइनमेंट से पहले keys को सत्यापित और सैनिटाइज़ करें - उपयोगकर्ता-नियंत्रित keys के लिए सादे ऑब्जेक्ट्स के बजाय Map का उपयोग करें ## Detection - Total rules: 2 - Languages: javascript, typescript ## Rules by Language ### Javascript (2 rules) - **Prototype Pollution via Object Manipulation** [HIGH]: Detects user input flowing to object merge operations without filtering dangerous keys. - Remediation: Filter dangerous keys (__proto__, constructor, prototype) before merging objects. ```javascript const BLOCKED = ['__proto__', 'constructor', 'prototype']; const filtered = Object.fromEntries( Object.entries(input).filter(([k]) => !BLOCKED.includes(k)) ); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution - **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: Detects authorization checks that trust properties without verifying they are own properties. - Remediation: Use Object.hasOwn() to verify properties are not inherited from prototype. ```javascript if (Object.hasOwn(user, 'isAdmin') && user.isAdmin) { grantAccess(); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution-gadget ### Typescript (2 rules) - **Prototype Pollution via Object Manipulation** [HIGH]: Detects user input flowing to object merge operations without filtering dangerous keys. - Remediation: Filter dangerous keys (__proto__, constructor, prototype) before merging objects. ```javascript const BLOCKED = ['__proto__', 'constructor', 'prototype']; const filtered = Object.fromEntries( Object.entries(input).filter(([k]) => !BLOCKED.includes(k)) ); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution - **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: Detects authorization checks that trust properties without verifying they are own properties. - Remediation: Use Object.hasOwn() to verify properties are not inherited from prototype. ```javascript if (Object.hasOwn(user, 'isAdmin') && user.isAdmin) { grantAccess(); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution-gadget