Understanding Prototype Pollution

Gupta Bless
4 min readNov 5

JavaScript is widely used for client side validation but nowadays also used to build servers or some backend applications. Due to which there is more probability of execution of server side pollution and enables more threats surfaces to exploit the JavaScript at runtime. Prototype pollution is basically an injection attack that targets the runtime JavaScript. As we all know JavaScript is one of the object-oriented programming languages that support the inheritance functionality. So whenever in JavaScript we try to access any object it checks the object first and then later property exists for it. So if property exists it will return the same otherwise it will start looking for the same property in its prototype. This process continues until property is found when the object does not have a prototype associated with it.

Learning More about Prototype Pollution


Let us try to understand with an example, where A is the object and B is the property.

Const A = {B = “bless”}

A.B // “bless”

A.C // undefined

//declaration of prototypes

Object.prototype.B = “Hello BB”

Object.prototype.C = “Hello C”

A.B // bless

A.C // Hello C

So we can clearly see, C is not declared in property but its prototype has existed. Now if somehow an attacker is able to modify the prototype, it affects all the objects that inherit from it, which can further lead to unexpected consequences.

This vulnerability allows attackers to effectively add accessible properties to all objects in JavaScript and even attackers can control the object properties and their default values. So with this attacker can manipulate or tamper the application logic and ultimately this will lead to DOS or RCE attacks. Addition of arbitrary properties to global objects which later invoke the user-defined objects.

This vulnerability exists when the application is not handling the attacker controlled property in a safe way. Let’s explore…

Gupta Bless

Security enthusiast working to secure web for others.