# WEB18: Prototype pollution
## Lab: DOM XSS via client-side prototype pollution
```!
This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab:
Find a source that you can use to add arbitrary properties to the global Object.prototype.
Identify a gadget property that allows you to execute arbitrary JavaScript.
Combine these to call alert().
You can solve this lab manually in your browser, or use DOM Invader to help you.
```
Dùng Dom Invader ta tìm được các sources là
Tiếp theo sử dụng Scan for gadgets, ta được dẫn đến hàm searchLogger.js
ở đây với bug pp trước đó, ta có thể control được thuộc tính src của tag script
vậy final payload: `?__proto__[transport_url]=data:,alert(1);`
solve
## Lab: DOM XSS via an alternative prototype pollution vector
```!
his lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab:
Find a source that you can use to add arbitrary properties to the global Object.prototype.
Identify a gadget property that allows you to execute arbitrary JavaScript.
Combine these to call alert().
You can solve this lab manually in your browser, or use DOM Invader to help you.
```
Vẫn sử dụng DOM Invader, ta tìm được pp vector khác
Và 1 sink khác
Cụ thể là tại hàm này
Final payload: `?__proto__.sequence=);alert(1)}//`
Solve
## Lab: Client-side prototype pollution via flawed sanitization
```!
This lab is vulnerable to DOM XSS via client-side prototype pollution. Although the developers have implemented measures to prevent prototype pollution, these can be easily bypassed.
To solve the lab:
Find a source that you can use to add arbitrary properties to the global Object.prototype.
Identify a gadget property that allows you to execute arbitrary JavaScript.
Combine these to call alert().
```
Có thể thấy lần này trang web đã có biện pháp sanitize bằng cách replace đi chuỗi `constructor`, `__proto__` và `prototype`
Tuy nhiên ta vẫn có thể bypass như sau:
Sink ở hàm `searchLogger` trong file `searchLoggerFiltered.js`
Final payload
Solve
## Lab: Client-side prototype pollution in third-party libraries
```!
This lab is vulnerable to DOM XSS via client-side prototype pollution. This is due to a gadget in a third-party library, which is easy to miss due to the minified source code. Although it's technically possible to solve this lab manually, we recommend using DOM Invader as this will save you a considerable amount of time and effort.
To solve the lab:
Use DOM Invader to identify a prototype pollution and a gadget for DOM XSS.
Use the provided exploit server to deliver a payload to the victim that calls alert(document.cookie) in their browser.
This lab is based on real-world vulnerabilities discovered by PortSwigger Research. For more details, check out Widespread prototype pollution gadgets by Gareth Heyes.
```
DOM Invader tìm được 2 source như sau
Và sink tương ứng là hàm setTimeout, cần pollute hitCallback:
Ta thử test với alert(1)
Setup exploit server
Solve bài lab
## Lab: Client-side prototype pollution via browser APIs
```!
This lab is vulnerable to DOM XSS via client-side prototype pollution. The website's developers have noticed a potential gadget and attempted to patch it. However, you can bypass the measures they've taken.
To solve the lab:
Find a source that you can use to add arbitrary properties to the global Object.prototype.
Identify a gadget property that allows you to execute arbitrary JavaScript.
Combine these to call alert().
You can solve this lab manually in your browser, or use DOM Invader to help you.
This lab is based on real-world vulnerabilities discovered by PortSwigger Research. For more details, check out Widespread prototype pollution gadgets by Gareth Heyes.
```
Bài lab này thì source vẫn tương tự như cũ `?__proto__[key]=value`, tuy nhiên điểm khác đó là ở sink có thêm hàm defineProperty() nhưng lại không chỉ định property `value` trong tham số truyền vào (`descriptor`) vì vậy ta có thể pollute thuộc tính này để giá trị của `tranport_url` là payload xss
Solve
## Lab: Privilege escalation via server-side prototype pollution
```!
This lab is built on Node.js and the Express framework. It is vulnerable to server-side prototype pollution because it unsafely merges user-controllable input into a server-side JavaScript object. This is simple to detect because any polluted properties inherited via the prototype chain are visible in an HTTP response.
To solve the lab:
- Find a prototype pollution source that you can use to add arbitrary properties to the global Object.prototype.
- Identify a gadget property that you can use to escalate your privileges.
- Access the admin panel and delete the user carlos.
You can log in to your own account with the following credentials: wiener:peter
```
Sau khi login với account cung cấp, ta thấy có chức năng change-address
Request tương ứng với nó như sau
Vậy thử PP ngay chỗ này
-> thành công thay đổi property isAdmin thành true
Delete user carlos và solve bài lab
## Lab: Detecting server-side prototype pollution without polluted property reflection
```!
This lab is built on Node.js and the Express framework. It is vulnerable to server-side prototype pollution because it unsafely merges user-controllable input into a server-side JavaScript object.
To solve the lab, confirm the vulnerability by polluting Object.prototype in a way that triggers a noticeable but non-destructive change in the server's behavior. As this lab is designed to help you practice non-destructive detection techniques, you don't need to progress to exploitation.
You can log in to your own account with the following credentials: wiener:peter
```
Vẫn tính năng cũ, vẫn request cũ ta tiến hành detect pp
**Dùng Status code**
**Dùng json spaces**
**Dùng Charset override**
Solve
## Lab: Bypassing flawed input filters for server-side prototype pollution
```!
This lab is built on Node.js and the Express framework. It is vulnerable to server-side prototype pollution because it unsafely merges user-controllable input into a server-side JavaScript object.
To solve the lab:
- Find a prototype pollution source that you can use to add arbitrary properties to the global Object.prototype.
- Identify a gadget property that you can use to escalate your privileges.
- Access the admin panel and delete the user carlos.
You can log in to your own account with the following credentials: wiener:peter
```
Về request bị PP thì vẫn tương tự như các lab trước, thử pollute bình thường
-> Không thành công, có thể bên phía server đã sanitize hoặc chặn cơ chế `__proto__`
Thử với `__pro__proto__to__`, vẫn không thành công
Cuối cùng, áp dụng PP thông qua constructor.prototype
Solve bài lab
## Lab: Remote code execution via server-side prototype pollution
```!
This lab is built on Node.js and the Express framework. It is vulnerable to server-side prototype pollution because it unsafely merges user-controllable input into a server-side JavaScript object.
Due to the configuration of the server, it's possible to pollute Object.prototype in such a way that you can inject arbitrary system commands that are subsequently executed on the server.
To solve the lab:
Find a prototype pollution source that you can use to add arbitrary properties to the global Object.prototype.
Identify a gadget that you can use to inject and execute arbitrary system commands.
Trigger remote execution of a command that deletes the file /home/carlos/morale.txt.
In this lab, you already have escalated privileges, giving you access to admin functionality. You can log in to your own account with the following credentials: wiener:peter
```
Vẫn tính năng update address như cũ
Khác ở lab này đó là mặc định ta đã là admin và có quyền chạy các jobs
Ta đoán rằng tính năng này chạy hàm child_process.fork(), vì thế thử pollute options object của nó (object `execArgv`)
Sau đó chọn lại "Run maintenance jobs", kết quả
## Lab: Exfiltrating sensitive data via server-side prototype pollution
```!
This lab is built on Node.js and the Express framework. It is vulnerable to server-side prototype pollution because it unsafely merges user-controllable input into a server-side JavaScript object.
Due to the configuration of the server, it's possible to pollute Object.prototype in such a way that you can inject arbitrary system commands that are subsequently executed on the server.
To solve the lab:
- Find a prototype pollution source that you can use to add arbitrary properties to the global Object.prototype.
- Identify a gadget that you can use to inject and execute arbitrary system commands.
- Trigger remote execution of a command that leaks the contents of Carlos's home directory (/home/carlos) to the public Burp Collaborator server.
- Exfiltrate the contents of a secret file in this directory to the public Burp Collaborator server.
- Submit the secret you obtain from the file using the button provided in the lab banner.
In this lab, you already have escalated privileges, giving you access to admin functionality. You can log in to your own account with the following credentials: wiener:peter
```
Dựa theo lí thuyết, ta đoán server sử dụng child_process.execSync(). Khai thác PP2RCE như sau
Chỉnh lại payload thành
Và secret
Solve
###### tags: `portswigger`
Sign in with Wallet
Connect another wallet