## https://sploitus.com/exploit?id=CC1BEB71-3BA3-537F-A99B-780EC2819E56
# SealSecurity_Exam
Prototype pollution is a JavaScript vulnerability that enables an attacker to
add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects.
A prototype pollution source is any user-controllable input that enables you to add arbitrary properties to prototype objects.
The most common sources are as follows:
URL
JSON
Web Messages
For tough-cookies package ( v2.5.0) more relevant first one via URL
It happens as following:
Here some request:
`https://vulnerable-website.com/?__proto__[badProperty]=payload`
When breaking the query string down into key:value pairs, a URL parser may interpret __proto__ as an arbitrary string.
At some point, the recursive merge operation may assign the value of evilProperty using a statement equivalent to the following:
`targetObject.__proto__.badProperty = 'payload';`
`__proto__` has special usage in JavaScript. As we know , if for some object some property P1 was not found, it will be searched in the prototype of this object
Example
```
function myClass() {
this.P1 = 'value';
}
let mc = new myClass();
console.log(mc.P1); //Value
console.log(mc.P2); //Undefined
mc.__proto__.P2 = 'value2';
let mc2 = new myClass();
console.log(mc.P2); //value2
```
After changing `__proto__` - all created instances of myClass will have property P2
For tough-cookies package ( v2.5.0 ) this prototype pollution vulnerability can be seen from code snippet :
```
await new Promise((resolve, reject) => {
cookiejar.setCookie(
"Slonser=polluted; Domain=__proto__; Path=/notauth",
"https://__proto__/admin",
{ loose: true },
(err, cookie) => {
if (err) {
reject(err);
} else {
resolve(cookie);
}
}
);
});
```
It was found that CookieJar class uses `MemoryCookieStore` as store by default. And in several methods of `MemoryCookieStore` objects initialized like following
```
this.idx = {};
```
This means that for this.idx prototype can be added properties with values(which can be problematic values) via `__proto__` . To prevent this - in several places there was changed initialization as following :
```
this.idx = Object.create(null);
```
This is creates empty object without prototype.There was added test
memstore_vulnerability_fix_test.js verifying the fix