Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

JavaScript is a prototype based language. Practically, this means that when new objects are crated, they carry over properties and methods of the prototype (__proto__) object. This object-based inheritance gives JavaScript flexibility and power, but with great power comes great responsibility!

The attack can only happen when a merge operation occurs that can overwrite the main prototype. From this point forward, the prototypes will inherit the value that we need for an object, which can lead to XSS on the client-side or RCE on the server-side.

The bulk of the testing on the client-side was done by adding __proto__[field] = value then checking to see if this had been inherited by the application. They wrote a chrome extension that automatically did this when visiting a page, which is pretty rad!

While testing, the authors found that 80% of nested parsers in JS were vulnerable to this attack. All they had to do was find some sites that were using this software and exploit it for further gain. Exploitation required the finding of an XSS gadget that existed within the context of the application by poisoning some important field. They have several interesting case studies on this.

The first case was Jira. They found that Jira Service Management was using the backbone for query parameter handling. By passing in __proto__.x=11111 as a parameter, the prototype could be poisoned. Using the untrusted types extension, a few interesting syncs can be found to inject directly into the DOM.

The authors constantly told developers about the issue but did not tell them about the proper way to fix it. Besides __proto__, you can use [constructor][prototype] as well. If you're a bug bounty hunter, this is a real good way to make extra money from the same bug.

While browsing with the extension on for the Apple-Watch application, they noticed a pollution issue. To exploit this, they poisoned the attribute src then changed the onerror handler to be JavaScript that they controlled. When the image failed to load, this would execute JavaScript in the context of the page. The URL query parameter is :__proto__[src]=image&__proto__[onerror]=alert(1).

Segment analytics used querystring, which is vulnerable to prototype pollution. They found that the pollution was only possible if the property was a number. They found a real crazy payload if knockout.js was being used, but nothing else.

If you want to see a real example of this vulnerability in action, check out Trello. If you go to the developer console and type in __proto__[123] you will notice that the value is set to 'xx'. To me, this was really helpful for visualizing the vulnerability class.

This post was awesome for learning about how Prototype pollution works. I'm excited to add the Chrome Extension they pointed out and add my own payloads as well. Thanks for the real world examples, friends!