-
Notifications
You must be signed in to change notification settings - Fork 0
/
Prototype pollution
32 lines (17 loc) · 2.52 KB
/
Prototype pollution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
############################################################################################
https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution#
https://learn.snyk.io/lessons/prototype-pollution/javascript/ #
Excelent explaination in these websites. #
############################################################################################
Every object in JavaScript is simply a collection of key and value pairs and that every object inherits from the Object type in JavaScript. This means that if you are able to pollute the Object type each JavaScript object of the environment is going to be polluted!
The merge function that startup.io wrote aimed to update one object with all attributes of another object. As we saw when we toured the code in the last section, the merge function is recursive and merrily merges all properties from its second input--even when it contains untrusted data with dubious keys such as __proto__.
Merging two objects is not the only functionality that can expose the code to a prototype pollution attack—any function which recursively sets nested properties can create an attack vector. Other common examples in the JavaScript ecosystem include: deep cloning (e.g. lodash cloneDeep), setting nested properties (e.g. lodash set), or creating objects by recursively "zipping" properties with values (e.g. lodash zipObjectDeep).
__________________________________________________________________________________________________________________________________________________
"Using the constructor property
Another way to achieve prototype pollution of all JS objects with the prototype property without using Object is to use the constructor property.
This property returns a reference to the Object constructor function that created the instance object. This means that, for our redCar instance, this will be the Car constructor function. But running it on an object created directly from Object.prototype like Car or any objects that got generated without intermediary constructor functions, will give us the desired Object prototype back.
simpleObject.constructor.prototype.toString = function() {
console.log("Polluted with the constructor property.")
}
SAME SOURCE: https://medium.com/@zub3r.infosec/exploiting-prototype-pollutions-220f188438b2
________________________________________________________________________________________________________________________________________________________