search
githubEdit

Server-Side prototype pollution

hashtag
Intro

Server-side prototype pollution (PP) occurs when an attacker can manipulate an application’s prototype chain on the server side, leading to serious vulnerabilities such as remote code execution (RCE) or privilege escalation. It takes advantage of the way JavaScript objects inherit properties and methods from their prototypes.

Unlike client-side PP, detecting and exploiting server-side PP is more challenging due to several factors:

  • No source code access: In most cases, the vulnerable JavaScript code on the server is not directly visible, making it harder to analyze which parts of the code are vulnerable.

  • Lack of developer tools: You can’t use browser DevTools to inspect objects or track behavior, as the JavaScript is running on a remote server.

  • DoS risk: When you successfully pollute a server-side prototype, you risk breaking functionality or crashing the server, which is risky in production environments.

  • Pollution persistence: Unlike client-side environments, where refreshing the page resets changes, server-side prototype pollution persists throughout the lifecycle of the server process.

These challenges make it essential to develop safe, non-destructive techniques for testing and detecting server-side prototype pollution vulnerabilities.

hashtag
Payloads

  • Basic

POST /user/update HTTP/1.1
Host: example.com
content-type: application/json

{
    "name": "john",
    "email": "john@example.com",
    "__proto__": {
        "foo": "bar"
    }
}

  • Other option

  • Bypass Sanitization

hashtag
Detection

In the detection phase of server-side prototype pollution (SSPP), the goal is to identify if a vulnerable server accepts and processes maliciously crafted payloads that can lead to prototype pollution. Here are key detection techniques based on the resources you provided:

hashtag
Polluted Property Reflection

One of the most common ways to detect SSPP is by submitting JSON data containing __proto__ or constructor objects and then checking whether the polluted properties are reflected in the response or server behavior.

Example Payloads:

If the application is vulnerable, the response might include the new foo property:

This indicates that the __proto__ pollution worked, and the property foo was injected into the object.

hashtag
Parameter limit

hashtag
Ignore query prefix

hashtag
Allow dots

hashtag
Content type

hashtag
JSON spaces

hashtag
Exposed headers

hashtag
OPTIONS

hashtag
JSON reflection

Two keys are used in the preceding example __proto__ and __proto__x. If the latter is reflected but not the former, then it's likely there is some form of object reflection that could be prototype pollution. If the key/value persists when the property is removed, this indicates there is some form of object persistence that could potentially be prototype pollution.

In the preceding example, only b is reflected and not the inherited property a. This is because Lodash looks at the current object to see if the property already exists in the merged object

hashtag
OAST

I read an excellent paper about exploiting prototype pollutionarrow-up-right by Mikhail Shcherbakov, Musard Balliu & Cristian-Alexandru Staicu. In the paper they detail how to exploit Node sinks such as fork(), exec(), execSync() and others.

windows

This will successfully evade scrapers and create the required DNS interaction.

hashtag
Exploitation

hashtag
Privilege Escalation

hashtag
JSON Spaces Overriding

hashtag
Status Code Overriding

hashtag
RCE via child_process

shell: It enables us to set a specific shell such as sh, bash, in which to run commands.

NODE_OPTIONS: The environment variable that defines the command-line arguments.

hashtag
RCE via child_process.spawn(), child_process.fork()

hashtag
Remote Command Execution: RCE in Kibana (CVE-2019-7609)arrow-up-right

hashtag
Remote Command Execution: RCE using EJS gadgetsarrow-up-right

hashtag
Overwrite Environment Variable

  • env Set the value of the xyz to environment variables.

  • --require /proc/self/environ Inject environment variables from the current process as a module.

hashtag
Resources

  1. Server-side Prototype Pollution - PortSwigger Researcharrow-up-right

  2. Server-side Prototype Pollution Paper - ArXivarrow-up-right

  3. Server-side Prototype Pollution - PortSwigger Web Securityarrow-up-right

  4. Prototype Pollution to RCE - HackTricksarrow-up-right

  5. Detecting Server-side Prototype Pollution without Polluted Property Reflection - PortSwigger Labsarrow-up-right

  6. Privilege Escalation via Server-side Prototype Pollution - PortSwigger Labsarrow-up-right

  7. Prototype Pollution in Server-side Applications - Exploit Notesarrow-up-right

  8. JavaScript Prototype Pollution Attack - Medium Guidearrow-up-right

  9. Payloads All The Things - Prototype Pollution Exploitationarrow-up-right

  10. Server-side Prototype Pollution Video - YouTubearrow-up-right [Arabic]

  11. JavaScript Prototype Pollution Attack Video - YouTubearrow-up-right [Arabic]

PreviousClient-Side Prototype PollutionNextTools-Extensions-Bookmarks

Last updated