Injection: Client Side Prototype Pollution¶
Identifier:
improper_input_client_side_proto_pollution
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner |
|---|---|---|
Description¶
Client-side prototype pollution occurs when user-controlled input is not properly validated and can modify an application's internal object prototypes. This allows attackers to inject malicious properties into objects, potentially altering application behavior, bypassing security controls, or leading to further vulnerabilities such as cross-site scripting (XSS). Since the attack happens on the client side, it can be difficult to detect and can impact all users interacting with the compromised code.
To prevent prototype pollution, ensure that all user inputs are properly validated, sanitized, and restricted before being used in object assignments or merges. Avoid using insecure methods such as Object.assign() or deep merge functions without checks. Implement allowlists for acceptable keys, freeze object prototypes when possible, and leverage secure libraries that are designed to handle deep object manipulation safely.
References:
- https://portswigger.net/web-security/prototype-pollution
- https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html
Configuration¶
Example¶
Example configuration:
---
security_tests:
improper_input_client_side_proto_pollution:
assets_allowed:
- WEBAPP
skip: false
Reference¶
assets_allowed¶
Type : List[AssetType]*
List of assets that this check will cover.
skip¶
Type : boolean
Skip the test if true.