Introduction to Client-side prototype pollution via flawed sanitization
Client-side prototype pollution via flawed sanitization is a security vulnerability that can occur in web applications when the input validation process fails to properly check for prototype pollution payloads. This can allow attackers to modify an object’s prototype, resulting in potential attacks such as cross-site scripting or remote code execution. To prevent such attacks, it’s important to implement secure validation practices and thoroughly test all user input.
Lab Solutions | Practical Work Time
This lab is vulnerable to DOM XSS via client-side prototype pollution. Although the developers have implemented measures to prevent prototype pollution, these can be easily bypassed.
Stepwise Solution of the Lab
I hope you accessed the lab. 🙂
Previously we used /?__proto__.xyz=bar
this query string and checked it’s polluted or not via executing Object.prototype
on the console.
Let’s do the same in this lab to identify:
See the injected xyz
property has not been added. So now let’s try alternative
prototype pollution vectors. For example:
/?__proto__[xyz]=bar
/?constructor.prototype.xyz=bar
Still same issue, Now try this /?__pro__proto__to__[xyz]=bar
one it will show injected for sure. Let’s take a look via executing Object.prototype
on console.
Now find the sink by exploring ‘sources’ section the file named ‘searchLoggerFiltered.js’
Here we found ‘transport_url’.
In this case you need to do a simple modify on that query string or payload whatever you say to solve the lab:
?__pro__proto__to__[transport_url]=data:,alert(1);
Thank you for reading, if this article really helps you than do share with your mates.
And follow @masaudsec on Twitter.