29.2 Lab: DOM XSS via client-side prototype pollution

This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab: Find a source that you can use to add arbitrary properties to the global Object.prototype. Identify a gadget property that allows you to execute arbitrary JavaScript. Combine these to call alert() | Karthikeyan Nagaraj

Karthikeyan Nagaraj
Infosec Matrix
2 min readJun 12, 2024

--

Description

This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab:

  1. Find a source that you can use to add arbitrary properties to the global Object.prototype.
  2. Identify a gadget property that allows you to execute arbitrary JavaScript.
  3. Combine these to call alert().

You can solve this lab manually in your browser, or use DOM Invader to help you.

Solution

  1. Open the lab in Burp’s built-in browser.
  2. Enable DOM Invader and enable the prototype pollution option.
  3. Open the browser DevTools panel, go to the DOM Invader tab, then reload the page.
  4. Observe that DOM Invader has identified two prototype pollution vectors in the search property i.e. the query string.
  5. Click Scan for gadgets. A new tab opens in which DOM Invader begins scanning for gadgets using the selected source.
  6. When the scan is complete, open the DevTools panel in the same tab as the scan, then go to the DOM Invader tab.
  7. Observe that DOM Invader has successfully accessed the script.src sink via the transport_url gadget.
  8. Click Exploit. DOM Invader automatically generates a proof-of-concept exploit and calls alert(1).

--

--

Infosec Matrix
Infosec Matrix

Published in Infosec Matrix

Collection of Best Writeups for HackTheBox, Portswigger, Bug Bounty, TryHackme, OverTheWire, PwnCollege, PicoCTF, and More.

Karthikeyan Nagaraj
Karthikeyan Nagaraj

Written by Karthikeyan Nagaraj

Entrepreneur | Writer | Cyber Security Consultant | AI Researcher

No responses yet