Is prototype pollution only exploitable on the back end?

Question

I received a Jira as a result of a security scan asking to update lodash for CVE-2019-10744, which is a prototype pollution vulnerability. After reading this excellent paper about prototype pollution, it seems to me that this would only be an issue when running JavaScript on the back end.

As we only use JavaScript on the client side, is it reasonable to deprioritize this particular class of vulnerability? Or can this be exploited client side as a vector into other kinds of attacks like xss? More generally, is there a reliable way to tell what kinds of JavaScript vulnerabilities are problematic on the front end vs. back end?

Anders · Answer 1 · 2019-09-20T13:31:31.737

Prototype pollution can be exploited at the front end. Payloads can be sent in similar fashion to reflected and stored XSS, and affect the behaviour of the front end for the victim recieving them. So this is a real issue that you should deal with. The most famous example of prototype pollution vulnerabilities is probably from jQuery - a client side library.

However, prototype pollution attacks can be quite complicated to pull off as they need to be tailored to your specific application. And just because you are using a vulnerable library doesn't mean your application is also vulnerable. Figuring out if you are is probably considerably harder than just fixing the issue, though.

So update lodash! Don't deprioritize it!

~~If for some reason an update is complicated, have a look at the no-pollution package that mitigate the issue without solving it completely.~~ (On second thought, that library doesn't look like it solves anything.) If you want to learn more, I found this Medium article very helpful. This question could also be good reading.

score 0 · Answer 2 · answered Aug 21 '19 at 04:05

0

Most scans report vulnerabilities on a service/app, it doesn’t know whether or how you are using it. Only you know whether the threat level is correct to your environment in real terms.

That said. I would patch with latest version, always, anyway as good practice. Bad actors can exploit, even if it’s not today, so keep it patched from said vulnerability if possible. Or look at other suitable mitigating controls if no patch exists.

answered Aug 21 '19 at 04:05

ISMSDEV

3,272
12
22

I agree with you. A environment might not use the code which will make a vulnerability exploitable, but what about tomorrow? Developers are working, developers are writing. – Mobutu Sese Seko Kuku Ngbendu Aug 12 '20 at 07:50

score 0 · Answer 3 · answered Aug 21 '19 at 05:39

Prototype pollution is a complicated vulnerability. Just because its client side doesn't mean it's not doing some important application logic there. Understand what the application does with Javascript and than see if the vulnerability can be used somewhere.

The fix for it is very simple in core.js file for Jquery instead of

if ( target === copy ) {

use

if ( name === "__proto__" || target === copy ) {

https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

Is prototype pollution only exploitable on the back end?

3 Answers3