Prototype pollution is a dangerous bug class associated with prototype-based languages, the most popular among them JavaScript.
One researcher, however, has found a variant of prototype pollution that is applicable to Python, while other class-based programming languages might also be vulnerable to similar attacks.
In JavaScript, each object inherits the ‘prototype’ of its parent object, which contains all the attributes and functions of that object. JavaScript objects can traverse the prototypes of their parents to access their functionality.
Prototypes can be modified at runtime, which makes JavaScript dynamic and flexible, but also dangerous. Prototype pollution attacks exploit this characteristic to modify the behavior of JavaScript applications and perform malicious actions.
Class-based languages such as Python are supposedly immune to such manipulations.
However, security researcher Abdulraheem Khaled has discovered a coding scheme that can allow attackers to perform prototype pollution-like attacks on Python programs. He calls it ‘class pollution’ in a blog post documenting his findings.
Khaled told The Daily Swig that he discovered the attack during attempts to translate the concepts of JavaScript prototype pollution to Python.
