theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page
  • What is it?
  • Checklist
  • Exploitation
  1. Web Application Testing
  2. Prototype Pollution

Client-side Prototype Pollution

What is it?

Client-side Prototype Pollution is an attack that occurs when an attacker is able to manipulate the prototype of a JavaScript object. This can lead to unexpected behavior in the application, and sometimes lead to bypassing of security measures and Remote Code Execution.

A simple example

Consider this vulnerable JavaScript function:

function extend(target, source) {
  for (let key in source) {
    target[key] = source[key];
  }
}

If an we can control the source object and sets source.__proto__.isAdmin = true, then this will set isAdmin = true on all objects that inherit from Object, potentially leading to an escalation of privileges.

Note that payload or attack depends on the application and the structure of the code. Client-side Prototype Pollution can often lead to:

  • Privilege escalation

  • Security measures bypass

  • Data manipulation

  • Remote code execution

Other learning resources:

Writeups:

Checklist

Understand the JavaScript environment

  • What libraries or frameworks are being used

  • How does the application handle user input

    • How does the application manipulate objects and their prototypes

Identify potential points of attack

  • User-supplied input that is directly used as an object

  • Functions that iterate over properties of user-supplied objects

    • Functions that use the Object or Function constructors with user input

Test the prototype

  • Can you add a new property to the prototype?

  • Can you modify an existing property on the prototype?

    • Can you delete a property from the prototype?

Test for privilege escalation

  • Add a new user privilege to the prototype

  • Modify an existing user privilege on the prototype

    • Delete a user privilege from the prototype

Test for security measures bypass

  • Add a new security property to the prototype

  • Modify an existing security property on the prototype

    • Delete a security property from the prototype

Is it actually exploitable?

  • Is there a blocklist?

  • Can you bypass the blocklist?

  • Test for insecure direct object references

    • Test for remote code execution

Test for patches

  • How does the application behave with patched libraries like Lodash, JQuery, etc.?

    • Is the patch effective or can it be bypassed?

Exploitation

// Add new property
payload = '{"__proto__":{"polluted":"pwned"}}'

// Modify an existing property
payload = '{"__proto__":{"existingProperty":"new value"}}'

// Delete a property
payload = '{"__proto__":{"existingProperty":null}}'

// Adding user privilege
payload = '{"__proto__":{"isAdmin":true}}'

// Bypassing security measures
payload = '{"__proto__":{"validateInput":false}}'
PreviousPrototype PollutionNextAutorize

Last updated 11 months ago