Lab: Client-side prototype pollution via browser APIs
This lab is vulnerable to DOM XSS via client-side prototype pollution. The website's developers have noticed a potential gadget and attempted to patch it. However, you can bypass the measures they've taken.
To solve the lab:
Find a source that you can use to add arbitrary properties to the global
Combine these to call
You can solve this lab manually in your browser, or use DOM Invader to help you.
Find a prototype pollution source
In your browser, try polluting the
Object.prototypeby injecting an arbitrary property via the query string:
Open the browser DevTools panel and go to the Console tab.
Study the properties of the returned object and observe that your injected
fooproperty has been added. You've successfully found a prototype pollution source.
Identify a gadget
In the browser DevTools panel, go to the Sources tab.
searchLoggerConfigurable.js, notice that if the
configobject has a
transport_urlproperty, this is used to dynamically append a script to the DOM.
Observe that a
transport_urlproperty is defined for the
configobject, so this doesn't appear to be vulnerable.
Observe that the next line uses the
Object.defineProperty()method to make the
transport_urlunwritable and unconfigurable. However, notice that it doesn't define a
Craft an exploit
Using the prototype pollution source you identified earlier, try injecting an arbitrary value property:
In the browser DevTools panel, go to the Elements tab and study the HTML content of the page. Observe that a
<script>element has been rendered on the page, with the
Modify the payload in the URL to inject an XSS proof-of-concept. For example, you can use a
data:URL as follows:
Observe that the
alert(1)is called and the lab is solved.
DOM Invader solution
Load the lab in Burp's built-in browser.
Open the browser DevTools panel, go to the DOM Invader tab, then reload the page.
Observe that DOM Invader has identified two prototype pollution vectors in the
searchproperty i.e. the query string.
Click Scan for gadgets. A new tab opens in which DOM Invader begins scanning for gadgets using the selected source.
When the scan is complete, open the DevTools panel in the same tab as the scan, then go to the DOM Invader tab.
Observe that DOM Invader has successfully accessed the
script.srcsink via the
Click Exploit. DOM Invader automatically generates a proof-of-concept exploit and calls