Introduction to the DOM XSS via an alternative prototype pollution vector
Alternative prototype pollution vectors can be exploited to execute malicious code in a victim’s browser, leading to DOM-based cross-site scripting (XSS) attacks. This vulnerability arises when an attacker can manipulate the prototype chain of an object. To prevent these types of attacks, it’s important to validate and sanitize all user input, avoid modifying the prototype chain of objects, and keep JavaScript libraries and frameworks up-to-date.
Lab Solutions | Practical Work Time
Lab Description:
This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab:
- Find a source that you can use to add arbitrary properties to the global
Object.prototype. - Identify a gadget property that allows you to execute arbitrary JavaScript.
- Combine these to call
alert().
Stepwise Solution of the Lab
First, let’s talk about this lab.So it’s similar to the previous lab, but there’s a slight difference that I’ll show you.
If you read our previous article you might’ve seen we pushed /?__proto__[xyz]=bar this query string.
And found prototype pollution by checking via Console by executing Object.prototype
Let’s do the same as the previous one and check what will happen.
In this case, it’s not working, so what should we do now? Well, here’s a little difference, so back to the query and use an alternative prototype pollution vector:
/?__proto__.xyz=bar
Well if you can see as you typed ‘xyz’ in the property that showing and as you typed ‘bar’ in the value that showing.
It means you’ve successfully found a prototype pollution source.
In the browser, go to the Sources tab.
Study the JavaScript files that are loaded by the target site and look for any DOM XSS sinks.
Notice that there is an eval() sink in searchLoggerAlternative.js.
Notice that the manager.sequence property is passed to eval().
Try injecting an arbitrary ‘sequence’ property with an XSS proof-of-concept payload using the prototype pollution source you previously identified:/?__proto__.sequence=alert(1)
Still, nothing happened, right? Now is the time to fix it once and for all by appending ‘ – ‘ to the url.
Let me explain why.
To add a breakpoint to this line, click the line number, then reload the page.
With the mouse pointer over the manager.sequence reference, you can see that alert(1)1 is its value. This shows that our payload was successfully sent to the sink, but because a numeric 1 character was added to it, the JavaScript syntax was improper.
Boom here we go the lab has been solved successfully.
Thank you for reading, if this article really helps you than do share with your mates.
And follow @masaudsec on Twitter.