Prototype Pollution: Client-side prototype pollution via flawed sanitization

Introduction to Client-side prototype pollution via flawed sanitization

Client-side prototype pollution via flawed sanitization is a security vulnerability that can occur in web applications when the input validation process fails to properly check for prototype pollution payloads. This can allow attackers to modify an object’s prototype, resulting in potential attacks such as cross-site scripting or remote code execution. To prevent such attacks, it’s important to implement secure validation practices and thoroughly test all user input.

Lab Solutions | Practical Work Time

This lab is vulnerable to DOM XSS via client-side prototype pollution. Although the developers have implemented measures to prevent prototype pollution, these can be easily bypassed.

Stepwise Solution of the Lab

I hope you accessed the lab. 🙂

Previously we used /?__proto__.xyz=bar this query string and checked it’s polluted or not via executing Object.prototype on the console.

Let’s do the same in this lab to identify:

Client-side prototype pollution via flawed sanitization

See the injected xyz property has not been added. So now let’s try alternative

prototype pollution vectors. For example:

/?__proto__[xyz]=bar

/?constructor.prototype.xyz=bar

Still same issue, Now try this /?__pro__proto__to__[xyz]=bar one it will show injected for sure. Let’s take a look via executing Object.prototype on console.

Now find the sink by exploring ‘sources’ section the file named ‘searchLoggerFiltered.js’

Here we found ‘transport_url’.

Client-side prototype pollution via flawed sanitization

In this case you need to do a simple modify on that query string or payload whatever you say to solve the lab:

?__pro__proto__to__[transport_url]=data:,alert(1);

Thank you for reading, if this article really helps you than do share with your mates.
And follow @masaudsec on Twitter.

Leave a Comment