Prototype pollution

Prototype pollution is a class of vulnerabilities in JavaScript runtimes that allows attackers to overwrite arbitrary properties in an object's prototype.^[1]^[2]^[3]

References edit

^ Li, Song; Kang, Mingqing; Hou, Jianwei; Cao, Yinzhi (2021-08-18). "Detecting Node.js prototype pollution vulnerabilities via object lookup analysis". Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ESEC/FSE 2021. New York, NY, USA: Association for Computing Machinery. pp. 268–279. doi:10.1145/3468264.3468542. ISBN 978-1-4503-8562-6.
^ Kang, Zifeng; Li, Song; Cao, Yinzhi (2022). "Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites". Proceedings 2022 Network and Distributed System Security Symposium. Reston, VA: Internet Society. doi:10.14722/ndss.2022.24308. ISBN 978-1-891562-74-7.
^ Shcherbakov, Mikhail; Balliu, Musard; Staicu, Cristian-Alexandru (2023). "Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js". SEC '23: Proceedings of the 32nd USENIX Conference on Security Symposium: 5521–5538. arXiv:2207.11171. ISBN 978-1-939133-37-3.

External links edit

Prototype Pollution Prevention Cheat Sheet - OWASP

This computer security article is a stub. You can help Wikipedia by expanding it.

[1] Li, Song; Kang, Mingqing; Hou, Jianwei; Cao, Yinzhi (2021-08-18). "Detecting Node.js prototype pollution vulnerabilities via object lookup analysis". Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ESEC/FSE 2021. New York, NY, USA: Association for Computing Machinery. pp. 268–279. doi:10.1145/3468264.3468542. ISBN 978-1-4503-8562-6.

[2] Kang, Zifeng; Li, Song; Cao, Yinzhi (2022). "Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites". Proceedings 2022 Network and Distributed System Security Symposium. Reston, VA: Internet Society. doi:10.14722/ndss.2022.24308. ISBN 978-1-891562-74-7.

[3] Shcherbakov, Mikhail; Balliu, Musard; Staicu, Cristian-Alexandru (2023). "Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js". SEC '23: Proceedings of the 32nd USENIX Conference on Security Symposium: 5521–5538. arXiv:2207.11171. ISBN 978-1-939133-37-3.

[1]

[2]

[3]