Prototype Pollution

An attacker submits JSON containing __proto__ or constructor keys; a deep-merge in your app pushes that into Object.prototype and changes behavior everywhere. Arcis blocks the 7 dangerous keys at object traversal time, case-insensitively.

What it catches

Seven dangerous keys, blocked case-insensitively at every level of object traversal:

• __proto__
• constructor
• prototype
• __defineGetter__
• __defineSetter__
• __lookupGetter__
• __lookupSetter__

Blocked surfaces: object key iteration, JSON-parsed request bodies, query-parameter parsing, deep-merge operations.

Sample payload

// Before
{ "name": "alice", "__proto__": { "isAdmin": true } }

// After
{ "name": "alice" }

// In block mode: 403, vector=prototype, rule=patterns.proto.dangerous-key

Configuration

app.use(arcis({
  block: true,
  sanitize: { prototype: { enabled: true } }
}));

Disable

Strongly discouraged. The risk of leaving prototype pollution exploitable far exceeds any reason to opt out.

References

• CWE-1321
• HoLyVieR. prototype pollution research (2018)