Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Prototype Pollution is a vulnerability in JavaScript that allows for the overwriting of the __prototype__ object. By doing this, an attacker can overwrite the default properties of an object to cause all sorts of havoc. This is normally caused by blindly merging objects together. Does this similar vulnerability affect other languages?

The author of this post dove into how this could be utilized in Python. Instead of prototype pollution the author coined this class pollution. There are dunder (double underscore) methods such as __str__() and attributes such as __class__. In Python, it is possible to overwrite these properties at run time.

The functions __get/setattr__ and __get/setitem__ are used to set attributes about an object. If an attacker is able to set properties of a class arbitrarily using these functions, then we have class pollution. Similar to Prototype Pollution, this may happen when creating a Python class object from a JSON blob on the fly.

This is where the fun begins! What else can be overwrite besides attributes of a class? It turns out, that the functions mentioned above are much more generalized than you would expect. Using the .__base__, an attacker can traverse up the hierarchy of objects indefinitely, with some limitations. The main limitation is that the field we want to overwrite must be in the same hierarchy in the inheritance chain. Or, the __globals can be traversed and overwritten with this as well!

The author notes that this merging is more common than one would expect. The python version of lodash (pydash) had this exact problem in it. In an exploit demonstration with subprocess.Popen the author of the post overwrites the COMPSEC variable by traversing the globals to gain trivial command injection. There are an unlimited amount of primitives to view but many of them are going to be specific to the application in use.

Overall, a super nifty vulnerability that you may come across some day! Love this post and vuln class.