Prototype Pollution
Prototype pollution is a severe vulnerability class associated with prototype-based languages, the most popular among them being JavaScript.
However, a researcher has discovered Python-specific variants of prototype pollution, and other class-based programming languages may also be exposed to similar threats.
With prototype pollution, a threat actor may access and control the default values of an object’s properties. In addition to allowing the attacker to alter the application’s logic, this can also result in denial-of-service attacks or, in severe cases, remote code execution.
From Prototype Pollution to Class Pollution
In JavaScript, each object inherits the ‘prototype’ of the parent object, which includes all the functions and characteristics of that object. JavaScript objects can access the functionality of their parents by traversing their prototypes.
In the course of runtime, the prototype could as well be modified, making JavaScript dynamic and flexible but also dangerous. Prototype pollution attacks utilize and exploit this characteristic in order to modify the behavior of JavaScript applications and to conduct malicious activities. It is claimed that class-based languages like Python are resistant to such manipulations.
However, security researcher Abdulraheem Khaled has come across a coding scheme that ca
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: