Prototype pollution attacks in NodeJS applications

Prototype pollution is a term that was coined many years ago in the JavaScript community to designate libraries that added extension methods to the prototype of base objects like "Object", "String" or "Function". This was very rapidly considered a bad practice as it introduced unexpected behavior in applications. In this presentation, we will analyze the problem of prototype pollution from a different angle. What if an attacker could pollute the prototype of the base object with his own value? What APIs allow such pollution? What can be done with it?


Olivier Arteau Security Researcher,

Olivier Arteau is a security researcher that works for a large financial institution. In his early day, he was a web developer and transitioned into the security field during his university. He gave in the last few years a good amount of workshop for the usergroup MontreHack and is also part of the organization of a few CTF (Mini-CTF OWASP and NorthSec).