Find a prototype pollution source
-
In your browser, try polluting
Object.prototype
by injecting an arbitrary property via the query string:/?__proto__.foo=bar
-
Open the browser DevTools panel and go to the Console tab.
-
Enter
Object.prototype
. -
Study the properties of the returned object and observe that your injected
foo
property has not been added. -
Try alternative prototype pollution vectors. For example:
/?__proto__[foo]=bar /?constructor.prototype.foo=bar
-
Observe that in each instance,
Object.prototype
is not modified. -
Go to the Sources tab and study the JavaScript files that are loaded by the target site. Notice that
deparamSanitized.js
uses thesanitizeKey()
function defined insearchLoggerFiltered.js
to strip potentially dangerous property keys based on a blocklist. However, it does not apply this filter recursively. -
Back in the URL, try injecting one of the blocked keys in such a way that the dangerous key remains following the sanitization process. For example:
/?__pro__proto__to__[foo]=bar /?__pro__proto__to__.foo=bar /?constconstructorructor[protoprototypetype][foo]=bar /?constconstructorructor.protoprototypetype.foo=bar
-
In the console, enter
Object.prototype
again. Notice that it now has its ownfoo
property with the valuebar
. You've successfully found a prototype pollution source and bypassed the website's key sanitization.
Identify a gadget
-
Study the JavaScript files again and notice that
searchLogger.js
dynamically appends a script to the DOM using theconfig
object'stransport_url
property if present. -
Notice that no
transport_url
property is set for theconfig
object. This is a potential gadget.
Craft an exploit
-
Using the prototype pollution source you identified earlier, try injecting an arbitrary
transport_url
property:/?__pro__proto__to__[transport_url]=foo
-
In the browser DevTools panel, go to the Elements tab and study the HTML content of the page. Observe that a <script> element has been rendered on the page, with the
src
attributefoo
. -
Modify the payload in the URL to inject an XSS proof-of-concept. For example, you can use a
data:
URL as follows:/?__pro__proto__to__[transport_url]=data:,alert(1);
-
Observe that the
alert(1)
is called and the lab is solved.