Adding prototype parameter pollution

[roelstorms]

Is it useful to add a section on prototype pollution (not to be confused with http parameter pollution)? This vulnerability is a couple of years old but I cant find any reference in any OWASP project to it. It has one very interesting instance in a Kibana RCE exploit (CVE-2019-7609).

If you feel this is missing I can give it a go to write something. Please let me know where it might fit in.

Portswigger reference

[kingthorin]

I think it makes sense to add some content as a sub-section under Client-side testing.

[ThunderSon]

This is on the backend, and not client-side. This should go under the injection category.

[kingthorin]

Are there two topics here? I was thinking like JS prototype pollution (ex: https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications)

[alcastronic]

These are indeed two distinct topics. Prototype Pollution is an issue that occurs in Java Script based environments due to the nature of java script being based on prototypes.

The first is the pp in Node.JS backends which got a good talk by oliviert arteu which I believe led to a "revival" of this issue:
https://github.com/HoLyVieR/prototype-pollution-nsec18

And second there is pp in frontends which can lead to XSS and also has potential to bypass some defenses. BlackFan an has a great repo on it.
https://github.com/BlackFan/client-side-prototype-pollution

[kingthorin]

https://mobile.twitter.com/Black2Fan/status/1437324906811768838

[kingthorin]

https://mobile.twitter.com/clintgibler/status/1445403406571614214

[github-actions]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[kingthorin]

https://portswigger.net/research/widespread-prototype-pollution-gadgets

[ThunderSon]

@kingthorin let's review priorities, if this should be tackled I might have time to do it 🙈