Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

Mastodon
Infosec Matrix

Collection of Best Writeups for HackTheBox, Portswigger, Bug Bounty, TryHackme, OverTheWire, PwnCollege, PicoCTF, and More.

29.4 Lab: DOM XSS via an alternative prototype pollution vector

Karthikeyan Nagaraj
2 min readJun 14, 2024

--

Description

This lab is vulnerable to DOM XSS via client-side prototype pollution. To solve the lab:

  1. Find a source that you can use to add arbitrary properties to the global Object.prototype.
  2. Identify a gadget property that allows you to execute arbitrary JavaScript.
  3. Combine these to call alert().

You can solve this lab manually in your browser, or use DOM Invader to help you.

Solution

  1. Load the lab in Burp’s built-in browser.
  2. Enable DOM Invader and enable the prototype pollution option.
  3. Open the browser DevTools panel and go to the DOM Invader tab and reload the page.
  4. Observe that DOM Invader has identified a prototype pollution vector in the search property i.e. the query string.
  5. Click Scan for gadgets. A new tab opens in which DOM Invader begins scanning for gadgets using the selected source.
  6. When the scan is complete, open the DevTools panel in the same tab as the scan, then go to the DOM Invader tab.
  7. Observe that DOM Invader has successfully accessed the eval() sink via the sequence gadget.
  8. Click Exploit. Observe that DOM Invader’s auto-generated proof-of-concept doesn’t trigger an alert().
  9. Go back to the previous browser tab and look at the eval() sink again in DOM Invader. Notice that following the closing canary string, a numeric 1 character has been appended to the payload.
  10. Click Exploit again. In the new tab that loads, append a minus character (-) to the URL and reload the page.
  11. Observe that the alert(1) is called and the lab is solved.

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Cyberw1ng

Learn Cyber Security and Create Awareness ~ cyberwing Stay tuned with me, Subscribe, and Like the Videos… Ask Doubts…

www.youtube.com

Telegram Channel for Free Ethical Hacking Dumps

Ethical Hacking Dumps — CEH, OSCP, Comptia

Materials and Books for Ethical Hacking Exams like CEH v12, OSCP, Comptia Pentest+, Comptia Security+, Comptia Network+…

t.me

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng

Cybersecurity
Careers
Hacking
Bug Bounty
Penetration Testing

--

--

Infosec Matrix
Infosec Matrix

Published in Infosec Matrix

558 followers
Last published 1 day ago

Collection of Best Writeups for HackTheBox, Portswigger, Bug Bounty, TryHackme, OverTheWire, PwnCollege, PicoCTF, and More.

Karthikeyan Nagaraj
Karthikeyan Nagaraj

Written by Karthikeyan Nagaraj

11.7K followers
1 following

Entrepreneur | Writer | Cyber Security Consultant | AI Researcher TopMate - https://topmate.io/cyberw1ng

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech