Node.js 原型链污染新视角<\/h1>

原型链污染基础概念<\/h2>

原型链污染是Node.js中一种常见的安全漏洞，其基本原理如下：<\/p>

原型链机制<\/strong>：<\/p>

对象的__proto__<\/code>是原型，原型也是一个对象，也有__proto__<\/code>属性<\/li>
原型的__proto__<\/code>又是原型的原型，这样一直向上查找直到找到Object<\/code>的原型<\/li>
当在一个对象中寻找属性时，如果对象没有该属性，就会沿着原型链向上查找<\/li> <\/ul> <\/li>
污染原理<\/strong>：<\/p> 通过直接污染Object<\/code>对象的属性值，使得目标对象在查找该属性时返回被污染的值<\/li> 示例代码： const<\/span> foo<\/span> =<\/span> { bar<\/span>:<\/span> 1<\/span> }; <\/span><\/span>foo<\/span>.__proto__<\/span>.bar<\/span> =<\/span> 2<\/span>; <\/span><\/span>console<\/span>.log<\/span>(foo<\/span>.bar<\/span>); \/\/ 1 (foo本身有bar属性) <\/span><\/span><\/span><\/span>const<\/span> zoo<\/span> =<\/span> {}; <\/span><\/span>console<\/span>.log<\/span>(zoo<\/span>.bar<\/span>); \/\/ 2 (zoo没有bar属性，从原型链找到被污染的bar) <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 原型链访问方式<\/h2> 通常有三种方式可以访问对象的原型：<\/p> objectname["__proto__"]<\/code><\/li> objectname.__proto__<\/code><\/li> objectname.constructor.prototype<\/code><\/li> <\/ol> 实际案例分析<\/h2> 案例背景<\/h3> 分析一个基于Express的Node.js应用，主要功能包括：<\/p> 用户注册(\/register<\/code>)<\/li> 用户登录(\/login<\/code>)<\/li> 主题配置(\/theme<\/code>)<\/li> <\/ol> 关键代码分析<\/h3> 用户注册逻辑<\/strong>：<\/p> app<\/span>.post<\/span>('\/register'<\/span>, (req<\/span>, res<\/span>) => { <\/span><\/span> const<\/span> { username<\/span>, password<\/span> } =<\/span> req<\/span>.body<\/span>; <\/span><\/span> users<\/span>[username<\/span>] =<\/span> { <\/span><\/span> password<\/span>:<\/span> password<\/span>, <\/span><\/span> isAdmin<\/span>:<\/span> false<\/span>, \/\/ 默认设置为false <\/span><\/span><\/span><\/span> themeConfig<\/span>:<\/span> { \/* 主题配置 *\/<\/span> } <\/span><\/span> }; <\/span><\/span>}); <\/span><\/span><\/code><\/pre><\/li> 用户登录逻辑<\/strong>：<\/p> app<\/span>.post<\/span>('\/login'<\/span>, (req<\/span>, res<\/span>) => { <\/span><\/span> const<\/span> { username<\/span>, password<\/span> } =<\/span> req<\/span>.body<\/span>; <\/span><\/span> const<\/span> user<\/span> =<\/span> users<\/span>[username<\/span>]; \/\/ 关键点：会查找原型链 <\/span><\/span><\/span><\/span> if<\/span> (user<\/span> &&<\/span> user<\/span>.password<\/span> ===<\/span> password<\/span>) { <\/span><\/span> req<\/span>.session<\/span>.userId<\/span> =<\/span> username<\/span>; <\/span><\/span> res<\/span>.redirect<\/span>('\/'<\/span>); <\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre><\/li> 主题配置逻辑<\/strong>：<\/p> app<\/span>.get<\/span>('\/theme'<\/span>, (req<\/span>, res<\/span>) => { <\/span><\/span> \/\/ 将用户提交的参数合并到themeConfig中 <\/span><\/span><\/span><\/span> \/\/ 存在原型链污染风险点 <\/span><\/span><\/span><\/span>}); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 安全限制<\/h3> 应用中存在WAF过滤，阻止了以下关键词：<\/p> __proto__<\/code><\/li> prototype<\/code><\/li> constructor<\/code><\/li> <\/ul> 创新攻击思路<\/h2> 传统思路的限制<\/h3> 传统原型链污染需要访问Object<\/code>原型，但这里无法通过常规方式(__proto__<\/code>等)访问原型。<\/p> 新思路：利用Object已有属性<\/h3> 绕过登录验证<\/strong>：<\/p> 使用Object<\/code>已有的方法名作为用户名(如isPrototypeOf<\/code>)<\/li> 由于users[username]<\/code>会查找原型链，Object.isPrototypeOf<\/code>存在<\/li> 不提供密码，使user.password === undefined === password<\/code><\/li> <\/ul> <\/li> 新型污染方式<\/strong>：<\/p> 无法直接污染Object.prototype.isAdmin<\/code><\/li> 改为污染Object.prototype.isPrototypeOf.isAdmin<\/code><\/li> 通过主题配置接口传入isPrototypeOf.isAdmin=true<\/code><\/li> <\/ul> <\/li> 条件满足逻辑<\/strong>：<\/p> users[req.session.userId].isAdmin<\/code> => users["isPrototypeOf"].isAdmin<\/code><\/li> users<\/code>对象没有isPrototypeOf<\/code>属性，查找原型链<\/li> 找到被污染的Object.isPrototypeOf.isAdmin=true<\/code><\/li> <\/ul> <\/li> <\/ol> 攻击步骤<\/h3> 访问\/theme<\/code>路由，传入参数isPrototypeOf.isAdmin=1<\/code>进行污染<\/li> 使用用户名isPrototypeOf<\/code>和空密码登录<\/li> 访问\/flag<\/code>路由获取flag<\/li> <\/ol> 防御建议<\/h2> 避免使用用户输入直接修改对象属性<\/li> 使用Object.create(null)<\/code>创建无原型的对象<\/li> 对用户输入进行严格过滤<\/li> 使用Object.hasOwnProperty<\/code>检查属性是否存在<\/li> 避免使用不安全的对象合并操作<\/li> <\/ol> 总结<\/h2> 本案例展示了一种新型的原型链污染利用方式：<\/p> 当无法直接访问Object<\/code>原型时，可以利用Object<\/code>已有的属性进行间接污染<\/li> 通过污染Object<\/code>已有属性的子属性，实现类似原型链污染的效果<\/li> 结合JavaScript原型链查找机制，实现权限绕过<\/li> <\/ol> 这种技术扩展了原型链污染的利用场景，即使在常规污染方式被防御的情况下，仍可能找到新的攻击路径。<\/p>