Find a prototype pollution source
-
In your browser, try polluting
Object.prototype
by injecting an arbitrary property via the query string:/?__proto__[foo]=bar
-
Open the browser DevTools panel and go to the Console tab.
-
Enter
Object.prototype
. -
Study the properties of the returned object and observe that your injected
foo
property has been added. You've successfully found a prototype pollution source.
Identify a gadget
-
In the browser DevTools panel, go to the Sources tab.
-
Study the JavaScript files that are loaded by the target site and look for any DOM XSS sinks.
-
In
searchLoggerConfigurable.js
, notice that if theconfig
object has atransport_url
property, this is used to dynamically append a script to the DOM. -
Observe that a
transport_url
property is defined for theconfig
object, so this doesn't appear to be vulnerable. -
Observe that the next line uses the
Object.defineProperty()
method to make thetransport_url
unwritable and unconfigurable. However, notice that it doesn't define avalue
property.
Craft an exploit
-
Using the prototype pollution source you identified earlier, try injecting an arbitrary value property:
/?__proto__[value]=foo
-
In the browser DevTools panel, go to the Elements tab and study the HTML content of the page. Observe that a
<script>
element has been rendered on the page, with thesrc
attributefoo
. -
Modify the payload in the URL to inject an XSS proof-of-concept. For example, you can use a
data:
URL as follows:/?__proto__[value]=data:,alert(1);
-
Observe that the
alert(1)
is called and the lab is solved.