Lab: DOM XSS via client-side prototype pollution
Find a source that you can use to add arbitrary properties to the global
Combine these to call
You can solve this lab manually in your browser, or use DOM Invader to help you.
Find a prototype pollution source
In your browser, try polluting the
Object.prototypeby injecting an arbitrary property via the query string:
Open the browser DevTools panel and go to the Console tab.
Study the properties of the returned object. Observe that it now has a
fooproperty with the value
bar. You've successfully found a prototype pollution source.
Identify a gadget
In the browser DevTools panel, go to the Sources tab.
searchLogger.js, notice that if the
configobject has a
transport_urlproperty, this is used to dynamically append a script to the DOM.
Notice that no
transport_urlproperty is defined for the
configobject. This is a potential gadget for controlling the
Craft an exploit
Using the prototype pollution source you identified earlier, try injecting an arbitrary
In the browser DevTools panel, go to the Elements tab and study the HTML content of the page. Observe that a
<script>element has been rendered on the page, with the
Modify the payload in the URL to inject an XSS proof-of-concept. For example, you can use a
data:URL as follows:
Observe that the
alert(1)is called and the lab is solved.
DOM Invader solution
Open the lab in Burp's built-in browser.
Open the browser DevTools panel, go to the DOM Invader tab, then reload the page.
Observe that DOM Invader has identified two prototype pollution vectors in the
searchproperty i.e. the query string.
Click Scan for gadgets. A new tab opens in which DOM Invader begins scanning for gadgets using the selected source.
When the scan is complete, open the DevTools panel in the same tab as the scan, then go to the DOM Invader tab.
Observe that DOM Invader has successfully accessed the
script.srcsink via the
Click Exploit. DOM Invader automatically generates a proof-of-concept exploit and calls