Finally, the English version of “JavaScript prototype pollution: practice of finding and exploitation” article is prepared. Using the techniques Nikita Stupin discovered CVE-2020–28460 in multi-ini parser and a vulnerability in the merge-deep package. With the first one, everything went smoothly, but with the second one, a funny situation came out: after sending the report, the maintainer did not get in touch for a long time, and as a result, GitHub Security Lab found the same vulnerability, managed to reach the maintainer earlier and registered it (GHSL-2020–160). All details related to these vulnerabilities, discovery and exploitation techniques, and recommendations on how to protect your applications are collected in the article.
Denis is chief technology officer of cybersecurity product line at telecommunications company. He is responsible for product development, defining technology strategy and driving future technical innovation.
