JavaScript Interview Questions
  • JavaScript Interview Questions
  • Contact
  • Introduction
  • Question 1
  • Question 2
  • Question 3
  • Question 4
  • Question 5
  • Question 6
  • Question 7
  • Question 8
  • Question 9
  • Question 10
  • Question 11
  • Question 12
  • Question 13
  • Question 14
  • Question 15
  • Question 16
  • Question 17
  • Question 18
  • Question 19
  • Question 20
  • Question 21
  • Question 22
  • Question 23
  • Question 24
  • Question 25
  • Question 26
  • Question 27
  • Question 28
  • Question 29
  • Question 30
  • Question 31
  • Question 32
  • Question 33
  • Question 34
  • Question 35
  • Question 36
  • Question 37
  • Question 38
  • Question 39
  • Question 40
  • Question 41
  • Question 42
  • Question 43
  • Question 44
  • Question 45
  • Question 46
  • Question 47
  • Question 48
  • Question 49
  • Question 50
  • Question 51
  • Question 52
  • Question 53
  • Question 54
  • Question 55
  • Question 56
  • Question 57
  • Question 58
  • Question 59
  • Question 60
  • Question 61
  • Question 62
  • Question 63
  • Question 64
  • Question 65
  • Question 66
  • Question 67
  • Question 68
  • Question 69
  • Question 70
  • Question 71
  • Question 72
  • Question 73
  • Question 74
  • Question 75
  • Question 76
  • Question 77
  • Question 78
  • Question 79
  • Question 80
  • Question 81
  • Question 82
  • Question 83
  • Question 84
  • Question 85
  • Question 86
  • Question 87
  • Question 88
  • Question 89
  • Question 90
  • Question 91
  • Question 92
  • Question 93
  • Question 94
  • Question 95
  • Question 96
  • Question 97
  • Question 98
  • Question 99
  • Question 100
  • Epilogue
Powered by GitBook
On this page
  • Question
  • Answer

Question 74

Question

How does prototype pollution occur and how can it be prevented?

Answer

What is Prototype Pollution?

Prototype pollution happens when malicious code alters the prototype chain of an object. This means attackers can add properties to built-in objects or user-defined classes, potentially overriding existing methods and functionalities with their own malicious code. This can lead to serious security breaches.

How it Occurs:

  1. Uncontrolled User Input: The most common cause is accepting untrusted user input without proper sanitization. If an attacker can inject data into a property assignment where the target object's prototype chain is involved, they can introduce malicious code.

    Object.defineProperty(globalThis.__proto__, 'someProperty', {
        value: function() {  // Malicious code!
            console.log('Prototype polluted!'); 
        }
    });
  2. Incorrect use of __proto__: Directly manipulating the __proto__ property can lead to unintended consequences and make objects vulnerable to pollution.

Consequences:

  • Data Manipulation: Attackers can modify data stored in user-defined objects or built-in objects like Array, Object, etc.

  • Code Execution: They can inject malicious code that runs when objects are created or used.

  • Bypass Security Measures: Prototype pollution can undermine security mechanisms relying on trusted prototypes, leading to privilege escalation.

Prevention Strategies:

  1. Sanitize User Input: Always validate and sanitize user input before using it in object creation or property assignments. Escape special characters and use whitelist approaches to restrict allowed values.

  2. Avoid Direct __proto__ Manipulation: Instead of directly modifying the __proto__ property, rely on established methods for inheritance and class structures. Consider using libraries like Proxy for more controlled access to object properties.

  3. Use Secure Frameworks/Libraries: Employ frameworks or libraries known for robust security practices that mitigate vulnerabilities like prototype pollution.

  4. Regular Security Audits: Conduct regular security audits and penetration testing to identify potential weaknesses in your codebase.

PreviousQuestion 73NextQuestion 75

Last updated 9 months ago