Prototype Pollution

Prototype Pollution: DOM XSS via client-side prototype pollution

Introduction: What is DOM XSS and What are Prototype Pollution Attacks?

DOM XSS is a type of web vulnerability where an attacker can inject harmful code into a website that’s viewed by other users. It happens when the website doesn’t validate or encode user input before inserting it into the page. Prototype pollution is another vulnerability that occurs in JavaScript applications, where an attacker can modify the prototype of an object to insert malicious code into the application. Both vulnerabilities can lead to serious data breaches and other security issues. It’s important for developers to validate user input and use security measures to prevent these attacks.

Lab Solutions | Practical Work Time

Lab Description:-
This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab:

  1. Find a source that you can use to add arbitrary properties to the global Object.prototype.
  2. Identify a gadget property that allows you to execute arbitrary JavaScript.
  3. Combine these to call alert().

Stepwise Solution of the Lab

#So after accessing the lab, I hope you opened your Burp Suite and turned on Intercept too. 🙂

Firstly, open the ‘Console’ of that page where you’ve to solve the lab. Then write Object.prototype

And press enter. Check the thread you’d understand nothing right?

Well now Go back to the tab and put this “/?__proto__[xyz]=bar” payload on the url and press enter.

Now do the same as we did before go to “console” and execute Object.prototype . Well if you can see as you typed [xyz] in the property that showing and as you typed ‘bar’ in the value that showing.
It means you’ve successfully found a prototype pollution source.

Now turn back to the Burp Suite and check ‘Target’ section. Open the thread you will find a file named ‘js’.

Open ‘js’ file and you can see there are two file named ‘deparam.js’ and ‘searchLogger.js’ send both to the ‘Repeater’ section.

Prototype Pollution

So we send both into repeater to check the response, look at there we found ‘transport_url’.

Let’s solve it now in once now. So for that you’ve to put this payload:-
/?__proto__[transport_url]=data:,alert(1);

Here we go see the lab has been solved.

Thank you for reading, if this article really helps you than do share with your mates.
And follow @masaudsec on Twitter.

Leave a Comment