Injection: Client Side Prototype Pollution¶
Identifier:
improper_input_client_side_proto_pollution
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
Client-side prototype pollution occurs when user-controlled input can modify an application's object prototypes, potentially altering application behavior, bypassing security controls, or leading to cross-site scripting vulnerabilities.
How we test: We inject prototype pollution payloads into request parameters and analyze client-side JavaScript code execution to detect if object prototypes can be modified. We test for various prototype pollution techniques and check if user input is properly validated before being used in object assignments or merges.
References:
- https://portswigger.net/web-security/prototype-pollution
- https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.