Prototype Pollution in Dynamodb
How Prototype Pollution Manifests in Dynamodb
Prototype pollution in DynamoDB occurs when untrusted data flows through object manipulation functions that can modify JavaScript object prototypes, leading to unexpected behavior in DynamoDB operations. This vulnerability is particularly dangerous in Node.js applications that use DynamoDB SDKs because the prototype chain can be manipulated to affect all objects of a certain type.
The most common attack vector involves the Object.assign() or spread operator (...) when merging user input with DynamoDB item objects. Consider this vulnerable pattern:
const AWS = require('aws-sdk');
const dynamodb = new AWS.DynamoDB.DocumentClient();
exports.handler = async (event) => {
const { userId, item } = JSON.parse(event.body);
// VULNERABLE: User-controlled data merged without validation
const dynamodbItem = { ...item, userId };
await dynamodb.put({
TableName: 'Products',
Item: dynamodbItem
}).promise();
return { statusCode: 200, body: 'Success' };
};
An attacker can exploit this by sending a request with a __proto__ property:
{
"userId": "user123",
"item": {
"name": "Sneakers",
"price": 99.99,
"__proto__": {
"admin": true
}
}
}
This pollution can affect how DynamoDB interprets item attributes. In DynamoDB, certain attribute names have special meaning. For example, NULL, BOOL, and L are DynamoDB data type indicators. If an attacker pollutes the prototype with these keys, it can cause type confusion:
// After prototype pollution, this code behaves unexpectedly
const item = { name: 'Product' };
console.log(item.NULL); // true (from polluted prototype)
console.log(item.BOOL); // true (from polluted prototype)
DynamoDB's DocumentClient interprets these values when converting between JavaScript objects and DynamoDB's internal format. A polluted object might cause DocumentClient to serialize attributes incorrectly, potentially bypassing validation or causing data corruption.
Another attack pattern involves the constructor property. If an attacker pollutes Object.prototype.constructor, it can affect how DynamoDB handles custom objects:
// Attacker-controlled request
{
"item": {
"name": "Product",
"__proto__": {
"constructor": {
"prototype": {
"toString": function() { return 'HACKED'; }
}
}
}
}
}
This can cause DynamoDB operations to fail or behave unpredictably when the SDK attempts to serialize objects for storage.
Dynamodb-Specific Detection
Detecting prototype pollution in DynamoDB applications requires both static analysis and runtime monitoring. Here are the most effective detection strategies:
Static Code Analysis should focus on identifying unsafe object merging patterns. Use ESLint rules or custom scripts to find:
// Unsafe patterns to detect
const unsafePatterns = [
'Object.assign(',
'{...obj}',
'Object.create(',
'Object.setPrototypeOf('
];
Run these checks against your codebase:
const fs = require('fs');
const path = require('path');
function scanForPrototypePollution(filePath) {
const content = fs.readFileSync(filePath, 'utf8');
const matches = [];
if (content.includes('Object.assign(') ||
content.includes('{...') ||
content.includes('Object.create(')) {
matches.push('Potential prototype pollution pattern detected');
}
return matches;
}
Runtime Detection involves monitoring DynamoDB operations for anomalous behavior. Implement a wrapper around your DocumentClient:
class SecureDocumentClient extends AWS.DynamoDB.DocumentClient {
async put(params, callback) {
this.validateParams(params);
return super.put(params, callback).promise();
}
validateParams(params) {
const suspiciousKeys = ['__proto__', 'constructor', 'prototype'];
this.checkForSuspiciousKeys(params.Item, suspiciousKeys);
this.checkForSuspiciousKeys(params.UpdateExpression, suspiciousKeys);
}
checkForSuspiciousKeys(obj, keys) {
if (obj === null || typeof obj !== 'object') return;
for (const key of Object.keys(obj)) {
if (keys.includes(key)) {
throw new Error(`Prototype pollution attempt detected: ${key}`);
}
if (typeof obj[key] === 'object') {
this.checkForSuspiciousKeys(obj[key], keys);
}
}
}
}
middleBrick Scanning provides automated detection of prototype pollution vulnerabilities in your DynamoDB APIs. The scanner tests for:
| Test Category | Description | Detection Method |
|---|---|---|
| Object Merging | Tests for unsafe Object.assign() and spread operator usage |
Static analysis of API responses |
| Prototype Manipulation | Attempts to inject __proto__ and constructor properties |
Active probing with malicious payloads |
| Type Confusion | Tests for DynamoDB type indicator pollution | Runtime behavior analysis |
middleBrick's black-box scanning approach tests your DynamoDB endpoints without requiring credentials or access to your source code. The scanner sends crafted requests containing prototype pollution payloads and analyzes the responses for indicators of vulnerability.
Network Monitoring can detect prototype pollution attempts by looking for unusual patterns in API requests:
// WAF-like rule for detecting prototype pollution attempts
function detectPrototypePollutionAttempt(request) {
const suspiciousPatterns = [
/__proto__/,
/constructor/,
/prototype/,
/Object\.assign/,
/{.../,
/Object\.create/
];
const suspiciousKeys = ['__proto__', 'constructor', 'prototype'];
if (typeof request.body === 'object') {
const keys = Object.keys(request.body);
const matches = keys.filter(key => suspiciousKeys.includes(key));
if (matches.length > 0) {
return {
threat: 'Prototype Pollution Attempt',
keys: matches,
severity: matches.length > 2 ? 'high' : 'medium'
};
}
}
return null;
}
Dynamodb-Specific Remediation
Remediating prototype pollution in DynamoDB applications requires a defense-in-depth approach. Here are the most effective strategies:
Input Sanitization is the first line of defense. Before processing any user input that will be stored in DynamoDB, sanitize objects to remove dangerous properties:
function sanitizeForDynamoDB(obj) {
const dangerousKeys = ['__proto__', 'constructor', 'prototype', 'toString', 'valueOf'];
if (obj === null || typeof obj !== 'object') {
return obj;
}
if (Array.isArray(obj)) {
return obj.map(item => sanitizeForDynamoDB(item));
}
const sanitized = {};
for (const [key, value] of Object.entries(obj)) {
if (dangerousKeys.includes(key)) {
console.warn(`Removed dangerous key: ${key}`);
continue;
}
if (typeof value === 'object') {
sanitized[key] = sanitizeForDynamoDB(value);
} else {
sanitized[key] = value;
}
}
return sanitized;
}
// Usage in DynamoDB operations
const AWS = require('aws-sdk');
const dynamodb = new AWS.DynamoDB.DocumentClient();
exports.handler = async (event) => {
const { userId, item } = JSON.parse(event.body);
const sanitizedItem = sanitizeForDynamoDB(item);
const dynamodbItem = { ...sanitizedItem, userId };
await dynamodb.put({
TableName: 'Products',
Item: dynamodbItem
}).promise();
return { statusCode: 200, body: 'Success' };
};
Safe Object Merging replaces vulnerable patterns with secure alternatives. Instead of Object.assign() or spread operators, use property-by-property assignment with validation:
function safeMerge(base, additions) {
const result = { ...base };
for (const [key, value] of Object.entries(additions)) {
if (key.startsWith('__') || key === 'constructor') {
console.warn(`Blocked unsafe property: ${key}`);
continue;
}
result[key] = value;
}
return result;
}
// Usage
const userData = { name: 'John', email: 'john@example.com' };
const userUpdate = { name: 'John Doe', __proto__: { admin: true } };
const safeUpdate = safeMerge(userData, userUpdate);
// Result: { name: 'John Doe', email: 'john@example.com' }
// __proto__ property blocked
DynamoDB-Specific Validation ensures that items conform to expected schemas before storage:
const Joi = require('joi');
const productSchema = Joi.object({
name: Joi.string().required(),
price: Joi.number().min(0).required(),
description: Joi.string().optional(),
userId: Joi.string().required()
});
async function safeDynamoDBPut(tableName, item) {
// Sanitize first
const sanitizedItem = sanitizeForDynamoDB(item);
// Validate against schema
const { error } = productSchema.validate(sanitizedItem, {
abortEarly: false,
allowUnknown: false
});
if (error) {
throw new Error(`Validation failed: ${error.details.map(d => d.message).join(', ')}`);
}
const dynamodb = new AWS.DynamoDB.DocumentClient();
await dynamodb.put({
TableName: tableName,
Item: sanitizedItem
}).promise();
}
Immutable Data Structures prevent prototype pollution by using frozen objects:
function createImmutableItem(baseItem) {
const sanitized = sanitizeForDynamoDB(baseItem);
return Object.freeze(sanitized);
}
// Usage
const userItem = createImmutableItem({
name: 'Product',
price: 99.99,
__proto__: { admin: true } // Will be removed
});
// Attempting to modify will fail silently or throw in strict mode
userItem.name = 'New Name'; // No effect
console.log(userItem.name); // 'Product'
middleBrick Integration helps verify your remediation efforts. After implementing fixes, use middleBrick to scan your APIs:
# Install middleBrick CLI
npm install -g middlebrick
# Scan your DynamoDB API endpoint
middlebrick scan https://api.example.com/products --api=dynamodb
# Check results
middlebrick report last --format=json
The middleBrick dashboard provides continuous monitoring, alerting you if prototype pollution vulnerabilities reappear after remediation. It also maps findings to compliance frameworks like OWASP API Top 10 and PCI-DSS.
Testing Your Remediation involves actively attempting to exploit the fixed code:
async function testPrototypePollutionProtection() {
const testPayload = {
name: 'Test Product',
price: 19.99,
__proto__: {
admin: true,
constructor: {
prototype: {
toString: () => 'HACKED'
}
}
}
};
try {
await safeDynamoDBPut('Products', testPayload);
console.log('Test passed: No prototype pollution occurred');
} catch (error) {
console.log('Test passed: Prototype pollution blocked');
}
}