Xss

Prototype Pollution

by YesWeHack
drag_indicator
info
drag_indicator
inputs
drag_indicator
inspect

Proto mergin

This is a classic prototype polution example, can you exploit it ?

Goal: alert(flag)

Hints

Hint #1
expand_more

You need pollute the prototype of Object if you want config.debug to be true

Hint #2
expand_more

User and Config share the same prototype, try to assign a value to this prototype.

You can access the prototype of any object using obj.__proto__

Solution

Read the solution
expand_more

We need config.debug to be true if we want to inject some HTML on the page. Since debug is not defined in config the JS interpreter will look if the attribute is defined on the config prototype.

Because of the vulnerable merge function it is possible to assign the debug attribute of Object to 1.

If you access the __proto__ attribute of an object, it will give you the prototype of this object, here the prototype of user is Object, the same as config.

Our payload is split in two parts, first we set Object.debug to 1 and then we add a dummy attribute with the HTML payload.

$user = {"__proto__": {"debug": 1}, "x" : "<img src=x: onerror=alert(flag)>"}

drag_indicator
waf
INPUT
OUTPUT
drag_indicator
code
drag_indicator
result