29.2 Lab: DOM XSS via client-side prototype pollution
This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab: Find a source that you can use to add arbitrary properties to the global Object.prototype. Identify a gadget property that allows you to execute arbitrary JavaScript. Combine these to call alert() | Karthikeyan Nagaraj
Published in
2 min readJun 12, 2024
Description
This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab:
- Find a source that you can use to add arbitrary properties to the global
Object.prototype
. - Identify a gadget property that allows you to execute arbitrary JavaScript.
- Combine these to call
alert()
.
You can solve this lab manually in your browser, or use DOM Invader to help you.
Solution
- Open the lab in Burp’s built-in browser.
- Enable DOM Invader and enable the prototype pollution option.
- Open the browser DevTools panel, go to the DOM Invader tab, then reload the page.
- Observe that DOM Invader has identified two prototype pollution vectors in the
search
property i.e. the query string. - Click Scan for gadgets. A new tab opens in which DOM Invader begins scanning for gadgets using the selected source.
- When the scan is complete, open the DevTools panel in the same tab as the scan, then go to the DOM Invader tab.
- Observe that DOM Invader has successfully accessed the
script.src
sink via thetransport_url
gadget. - Click Exploit. DOM Invader automatically generates a proof-of-concept exploit and calls
alert(1)
.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng