Client-side prototype pollution for Moodle

Client-side prototype pollution for Moodle

Shravan K གིས-
Number of replies: 2

We are using Moodle 3.11 and would like to know about the client prototype pollution for Moodle.
During the security report it was found that while accessing any of pages on Moodle and in the console if we try to create the object and trying to change the value, it is getting changed.
This is considered as client prototype pollution. 

As with this hacker can get the internal value of the object using _proto_ and modify the original value of the object data and process the request with modified object.
Could you please help here to mitigate this?
Adding the screenshot here for reference.

Attachment ptp.png
དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Shravan K

Re: Client-side prototype pollution for Moodle

Michael Hawkins གིས-
Core developers གི་པར Moodle HQ གི་པར Particularly helpful Moodlers གི་པར Peer reviewers གི་པར Testers གི་པར

Hi Shravan,

What you are achieving here is creating an object in the browser console, and then manipulating your own object. JavaScript can be executed in the browser console as that is its purpose. You will be able to paste the same code snipped into the console on any website and achieve the same output.

Although in this case the information is not a security issue, please carefully read the following, which is an excerpt from information published at the very top of this forum:

Please do not post security scans or vulnerability findings in this public forum. Any potential vulnerabilities can be submitted via the Security Submission form, which adheres to our Security Procedures and Responsible Disclosure Policy.

དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -
In reply to Shravan K

Re: Client-side prototype pollution for Moodle

Marcus Green གིས-
Core developers གི་པར Particularly helpful Moodlers གི་པར Plugin developers གི་པར Testers གི་པར
This is how the web works. You can do anything you want to javascript items in your own browser on any web site. But Michael is the real expert on this.
དཔྱ་སྙོམས་ཀྱི་སྐུགས་ཚུ།: -