JavaScript Prototype Pollution Attack demo against a NodeJS Express server using Lodash
If you find the project useful, please consider supporting, or contributing.
Prototype Pollution is an injection attack targeting JavaScript runtimes. Using it, we may overwrite the default values of any object's properties in the running instance. This tampering may lead to controlling the logic of the application, crashing the server or remote code execution.
Please note that the program might work on earlier versions, but it has not been tested.
- Docker-compose
v1.29.2 - Docker
v4.7.1
- Docker
v4.7.1
- NodeJS
v16.15.0 - Yarn
v3.2.1
The project uses yarn berry with plug'n'play to keep the packages locally since they contain vulnerabilities thus might be removed eventually.
3 options are included, from simplest to longest:
- Using Docker-compose
- Manual Container building
- Manual installation and running
docker-compose upBuild container
docker build -t protopoll .Run container
docker run -p8080:8080 protopollInstall dependencies:
yarn installIf you don't have yarn installed:
npm install -g yarn. You will need root privileges on Linux.
Start
node server- Bash:
./exploit.sh - PowerShell:
.\exploit.ps1 - Python:
python exploit.py - Rest Client: extension link
Example server run
Example exploit
Standard MIT license: document
This tool is intended for demonstrational purposes, so only use against your own systems or against ones you have authorization for. I take no responsibility for your actions.