PROFESSIONALCOMMUNITY

Testing for prototype pollution with DOM Invader

  • Last updated: June 1, 2023

  • Read time: 2 Minutes

Prototype pollution is a JavaScript vulnerability. It enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects. This enables attackers to control object properties that would otherwise be inaccessible.

You can test for client-side prototype pollution vulnerabilities using DOM Invader. DOM Invader can automatically detect prototype pollution sources and scan for gadgets that you can use to craft an exploit. It can use the prototype pollution sources it discovers to pollute the Object.prototype as a proof of concept.

Before you start

Enable DOM Invader. For more information, see Enabling DOM Invader.

Steps

You can follow along with this process in the DOM XSS via client-side prototype pollution Web Security Academy lab.

Enabling prototype pollution detection in DOM Invader

  1. In the upper-right corner of Burp's browser, click the Burp Suite logo to display the Settings menu
  2. Click the DOM Invader tab.
  3. Click Attack types and toggle the switch so that Prototype pollution is on.
  4. Click Reload to reload the browser and make your changes take effect.

Finding potential sources for prototype pollution

  1. Right-click in the browser window and select Inspect to open the devtools panel.

  2. Click the DOM Invader tab.

  3. Browse around your target site to identify potential sources for prototype pollution. DOM Invader displays any sources found in the Sources list.

Testing sources manually

  1. While on the page in which the source was found, expand the Sources list and click Test. DOM Invader opens the same page in a new browser tab.
  2. From the new tab, open the devtools panel and select the Console tab.
  3. Expand the Object node to display the Object.prototype.
  4. Confirm that the Object.prototype output now contains a property called testproperty.
  5. Create a new object in the console using the command let myObject = {};.
  6. Use the command console.log(myObject.testproperty); to view the new object. Confirm that this new object has inherited testproperty.

Creating a proof of concept exploit

  1. Select the source from the Sources list and click Scan for gadgets. DOM Invader opens a new tab and starts scanning.
  2. Once the scan has finished, right-click in the new tab's browser window and select Inspect to open the devtools panel.
  3. Click the DOM invader tab and check the contents of the Sinks list. These are sinks that DOM Invader was able to access via the identified gadgets.
  4. Click Exploit next to a sink to test the sink with a proof-of-concept exploit. DOM Invader opens a new window in which it attempts to call the alert() function. If it is able to call the function, then an exploitable prototype pollution vulnerability is confirmed.

Related pages

  • DOM Invader - Gives further information on how to use DOM Invader.
  • DOM-based vulnerabilities - Explains what the DOM is and how insecure processing of DOM data can introduce vulnerabilities.

Was this article helpful?