Pentest Chronicles
The Role of Prototypes in JavaScript
Prototypes allow JS to share attributes or properties between different objects. Every object in JS has a prototype object associated with it, which gives that object its own properties. In other words, an object in JS inherits all the properties of its prototype. And this prototype can be accessed by referencing the __proto__ property attached to the object.
In JavaScript's dynamic environment, objects don't exist in isolation. They often share properties, and this sharing is made possible by 'prototypes'. Think of prototypes as ancestral blueprints from which objects inherit properties. This inheritance link can be seen by looking into an object’s '__proto__' property.
However, like many methodologies, this shared inheritance has its downsides. This is where we can find a vulnerability called Prototype Pollution. It's like messing with a family tree, changing traits or qualities that should be passed down to the next generation (or in this case, objects). While this might seem harmless, in the wrong hands, it can be used to change properties that shouldn't be touched.
More details about Prototype Pollution itself you can find on Portswigger blog https://portswigger.net/web-security/prototype-pollution:
What's more concerning is that Prototype Pollution can set the stage for more serious vulnerabilities. It’s like the first domino in a long chain - push one, and the rest will follow. On the client side, in our case, the result is DOM Cross-Site Scripting (XSS). But for server-side situations, the risks are even higher, especially with threats like remote code execution.
How to find Prototype Pollution in a tested application?
Finding out if an application is vulnerable usually starts with tools like Burp Suite. Using this tool, an auditor checks if he or she can add new properties to a JavaScript prototype. Once that’s done, this prototype mixes with another object, leading to potential exploitation.
For example, an attacker might change the 'div' array in a URL, and when checking the console, he or she might see their injected value at the end of an array, showing a successful property change.
It is important, that to exploit prototype pollution, you need a source and a gadget. A prototype pollution gadget occurs when a site uses a property in a dangerous way without filtering.
Looking for Prototype Pollution
We need to start with overriding the JavaScript prototype:
In today's world, ensuring the security of our accounts is more crucial than ever. Just as keys protect the doors to our homes, passwords serve as the first line of defense for our data and assets. It's easy to assume that technical individuals, such as developers and IT professionals, always use strong, unique passwords to keep ...
SOCMINT is the process of gathering and analyzing the information collected from various social networks, channels and communication groups in order to track down an object, gather as much partial data as possible, and potentially to understand its operation. All this in order to analyze the collected information and to achieve that goal by making …
PyScript – or rather Python in your browser + what can be done with it? A few days ago, the Anaconda project announced the PyScript framework, which allows Python code to be executed directly in the browser. Additionally, it also covers its integration with HTML and JS code. An execution of the Python code in …