Prototype Pollution

In the thrilling world of cyber security, where hackers and pentesters roam searching for vulnerabilities, there is an evolving concept known as prototype pollution. This allows bad actors to manipulate and exploit the inner workings of JavaScript applications and enables attackers to gain access to sensitive data and application backend.

While prototype pollution is most commonly discussed in the context of JavaScript, the concept can apply to any system that uses a similar prototype-based inheritance (opens in new tab) model.

However, JavaScript's widespread use, particularly in web development, and its flexible and dynamic object model make prototype pollution a more prominent and relevant concern in this language. In contrast, class-based inheritance (opens in new tab) languages like Java or C++ have a different model of inheritance where classes (blueprints for objects) are typically static, and altering a class at runtime to affect all its instances is not a common practice or straightforward task.

• How prototype pollution works
  
• Potential risks to web applications
• Exploitation techniques (client and server-side)
• Mitigation techniques

• How websites work
• HTTP protocols & methods
• OWASP top 10 web vulnerabilities

Connecting to the Machine
You can start the virtual machine by clicking Start Machine. The machine will start in a split-screen view. In case the VM is not visible, use the blue Show Split View button at the top-right of the page. We use a vulnerable social media application throughout the room to perform the exercise practically and become familiar with various attack vectors. Please wait 1-2 minutes after the system boots completely to let the auto scripts run successfully.