Introduction to the DOM XSS via an alternative prototype pollution vector
Lab Solutions | Practical Work Time
This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab:
- Find a source that you can use to add arbitrary properties to the global
- Combine these to call
Stepwise Solution of the Lab
First, let’s talk about this lab.So it’s similar to the previous lab, but there’s a slight difference that I’ll show you.
If you read our previous article you might’ve seen we pushed
/?__proto__[xyz]=bar this query string.
And found prototype pollution by checking via Console by executing
Let’s do the same as the previous one and check what will happen.
In this case, it’s not working, so what should we do now? Well, here’s a little difference, so back to the query and use an alternative prototype pollution vector:
Well if you can see as you typed ‘xyz’ in the property that showing and as you typed ‘bar’ in the value that showing.
It means you’ve successfully found a prototype pollution source.
In the browser, go to the Sources tab.
Notice that there is an
eval() sink in
Notice that the
manager.sequence property is passed to
Try injecting an arbitrary ‘sequence’ property with an XSS proof-of-concept payload using the prototype pollution source you previously identified:
Still, nothing happened, right? Now is the time to fix it once and for all by appending ‘ – ‘ to the url.
Let me explain why.
To add a breakpoint to this line, click the line number, then reload the page.
With the mouse pointer over the
manager.sequence reference, you can see that
Boom here we go the lab has been solved successfully.
Thank you for reading, if this article really helps you than do share with your mates.
And follow @masaudsec on Twitter.