# Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. - Prevalence: Medium 1 language covered - Impact: High 1 high-severity rules - Prevention: Documented 2 fix examples **OWASP:** Injection (A03:2021-Injection) - #3 ## Description By modifying the prototype of base objects like Object.prototype, attackers can affect all objects that inherit from these prototypes, potentially leading to code execution or denial of service. ## Prevention Prevention strategies for Prototype Pollution based on 2 Shoulder detection rules. ### Node.js Filter dangerous keys (__proto__, constructor, prototype) or use schema validation before merging user input Use Object.hasOwn() to verify authorization properties are own properties, not inherited from a polluted prototype ## Warning Signs - [HIGH] user input flowing to object merge operations without filtering dangerous keys - [MEDIUM] authorization checks that trust properties without verifying they are own properties ## Consequences - Execute Unauthorized Code - Modify Application Data - DoS ## Mitigations - Use Object.create(null) for lookup objects - Validate and sanitize keys before object assignment - Use Map instead of plain objects for user-controlled keys ## Detection - Total rules: 2 - Languages: javascript, typescript ## Rules by Language ### Javascript (2 rules) - **Prototype Pollution via Object Manipulation** [HIGH]: Detects user input flowing to object merge operations without filtering dangerous keys. - Remediation: Filter dangerous keys (__proto__, constructor, prototype) before merging objects. ```javascript const BLOCKED = ['__proto__', 'constructor', 'prototype']; const filtered = Object.fromEntries( Object.entries(input).filter(([k]) => !BLOCKED.includes(k)) ); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution - **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: Detects authorization checks that trust properties without verifying they are own properties. - Remediation: Use Object.hasOwn() to verify properties are not inherited from prototype. ```javascript if (Object.hasOwn(user, 'isAdmin') && user.isAdmin) { grantAccess(); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution-gadget ### Typescript (2 rules) - **Prototype Pollution via Object Manipulation** [HIGH]: Detects user input flowing to object merge operations without filtering dangerous keys. - Remediation: Filter dangerous keys (__proto__, constructor, prototype) before merging objects. ```javascript const BLOCKED = ['__proto__', 'constructor', 'prototype']; const filtered = Object.fromEntries( Object.entries(input).filter(([k]) => !BLOCKED.includes(k)) ); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution - **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: Detects authorization checks that trust properties without verifying they are own properties. - Remediation: Use Object.hasOwn() to verify properties are not inherited from prototype. ```javascript if (Object.hasOwn(user, 'isAdmin') && user.isAdmin) { grantAccess(); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution-gadget