Prototype Pollution
To be updated eventually
Lab: DOM XSS via client-side prototype pollution
This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab:
Find a source that you can use to add arbitrary properties to the global
Object.prototype.Identify a gadget property that allows you to execute arbitrary JavaScript.
Combine these to call
alert().
You can solve this lab manually in your browser, or use DOM Invader to help you.
Solution
Manual
First, we will try to inject via the query string
https://0a9d00370448f5e580c7ad1b0061006c.web-security-academy.net/?__proto__[foo]=barNext, we will go the console tab.
If we enter Object.prototype, we should be able see the payload that we have injected
After some enumeration, we can see that in searchLogger.js, if the config object has a transport_url property, it will append a script to the DOM
We can see that config object does not have any transport_url property defined.
So from there, the next thing we can try is changing the payload to this:
If we inspect the element we can see that the script tag is added
So the final step is add in the XSS payload into it
Lab: DOM XSS via an alternative prototype pollution vector
This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab:
Find a source that you can use to add arbitrary properties to the global
Object.prototype.Identify a gadget property that allows you to execute arbitrary JavaScript.
Combine these to call
alert().
You can solve this lab manually in your browser, or use DOM Invader to help you.
Solution
Last updated