GitBook: [#2797] pp

This commit is contained in:
CPol 2021-10-22 10:16:40 +00:00 committed by gitbook-bot
parent c6b5cc40ea
commit 72cbd88461
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
6 changed files with 69 additions and 23 deletions

View file

@ -377,7 +377,8 @@
* [CSRF (Cross Site Request Forgery)](pentesting-web/csrf-cross-site-request-forgery.md) * [CSRF (Cross Site Request Forgery)](pentesting-web/csrf-cross-site-request-forgery.md)
* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md) * [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md)
* [Deserialization](pentesting-web/deserialization/README.md) * [Deserialization](pentesting-web/deserialization/README.md)
* [NodeJS - \_\_proto\_\_ & prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution.md) * [NodeJS - \_\_proto\_\_ & prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md)
* [Client Side Prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md)
* [Java JSF ViewState (.faces) Deserialization](pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md) * [Java JSF ViewState (.faces) Deserialization](pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md)
* [Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner](pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md) * [Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner](pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md)
* [Basic Java Deserialization (ObjectInputStream, readObject)](pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md) * [Basic Java Deserialization (ObjectInputStream, readObject)](pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md)

View file

@ -136,8 +136,8 @@ For more information about escaping from **pickle jails** check:
If you want to learn about this technique **take a look to the following tutorial**: If you want to learn about this technique **take a look to the following tutorial**:
{% content-ref url="nodejs-proto-prototype-pollution.md" %} {% content-ref url="nodejs-proto-prototype-pollution/" %}
[nodejs-proto-prototype-pollution.md](nodejs-proto-prototype-pollution.md) [nodejs-proto-prototype-pollution](nodejs-proto-prototype-pollution/)
{% endcontent-ref %} {% endcontent-ref %}
### [node-serialize](https://www.npmjs.com/package/node-serialize) ### [node-serialize](https://www.npmjs.com/package/node-serialize)

View file

@ -1,10 +1,10 @@
# NodeJS - \__proto\_\_ & prototype Pollution # NodeJS - \_\_proto\_\_ & prototype Pollution
## Objects in JavaScript <a href="053a" id="053a"></a> ## Objects in JavaScript <a href="053a" id="053a"></a>
First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example: First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example:
![](<../../.gitbook/assets/image (389).png>) ![](<../../../.gitbook/assets/image (389).png>)
In Javascript, `Object`is a basic object, the template for all newly created objects. It is possible to create an empty object by passing `null`to `Object.create`. However, the newly created object will also have a type that corresponds to the passed parameter and inherits all the basic properties. In Javascript, `Object`is a basic object, the template for all newly created objects. It is possible to create an empty object by passing `null`to `Object.create`. However, the newly created object will also have a type that corresponds to the passed parameter and inherits all the basic properties.
@ -12,7 +12,7 @@ In Javascript, `Object`is a basic object, the template for all newly created obj
console.log(Object.create(null)); // prints an empty object console.log(Object.create(null)); // prints an empty object
``` ```
![](<../../.gitbook/assets/image (360).png>) ![](<../../../.gitbook/assets/image (360).png>)
Previously we learned that an Object in javascript is collection of keys and values, so it makes sense that a `null` object is just an empty dictionary: `{}` Previously we learned that an Object in javascript is collection of keys and values, so it makes sense that a `null` object is just an empty dictionary: `{}`
@ -30,25 +30,25 @@ function person(fullName, age) {
} }
``` ```
![](<../../.gitbook/assets/image (361).png>) ![](<../../../.gitbook/assets/image (361).png>)
```javascript ```javascript
var person1 = new person("Satoshi", 70); var person1 = new person("Satoshi", 70);
``` ```
![](<../../.gitbook/assets/image (362).png>) ![](<../../../.gitbook/assets/image (362).png>)
## Prototypes in JavaScript <a href="3843" id="3843"></a> ## Prototypes in JavaScript <a href="3843" id="3843"></a>
One thing to note is that the prototype attribute can be changed/modified/deleted when executing the code. For example functions to the class can be dynamically added: One thing to note is that the prototype attribute can be changed/modified/deleted when executing the code. For example functions to the class can be dynamically added:
![](<../../.gitbook/assets/image (363).png>) ![](<../../../.gitbook/assets/image (363).png>)
Functions of the class can also be modified (like `toString` or `valueOf` the following cases): Functions of the class can also be modified (like `toString` or `valueOf` the following cases):
![](<../../.gitbook/assets/image (364).png>) ![](<../../../.gitbook/assets/image (364).png>)
![](<../../.gitbook/assets/image (365).png>) ![](<../../../.gitbook/assets/image (365).png>)
## Inheritance ## Inheritance
@ -56,9 +56,9 @@ In a prototype-based program, objects inherit properties/methods from classes. T
Note that, if you add a property to an object that is used as the prototype for a set of objects (like the myPersonObj), the objects for which it is the prototype also get the new property, but that property is not printed unless specifically called on. Note that, if you add a property to an object that is used as the prototype for a set of objects (like the myPersonObj), the objects for which it is the prototype also get the new property, but that property is not printed unless specifically called on.
![](<../../.gitbook/assets/image (366).png>) ![](<../../../.gitbook/assets/image (366).png>)
## \__proto\_\_ pollution <a href="0d0a" id="0d0a"></a> ## \_\_proto\_\_ pollution <a href="0d0a" id="0d0a"></a>
You should have already learned that** every object in JavaScript is simply a collection of key and value** pairs and that **every object inherits from the Object type in JavaScript**. This means that if you are able to pollute the Object type **each JavaScript object of the environment is going to be polluted!** You should have already learned that** every object in JavaScript is simply a collection of key and value** pairs and that **every object inherits from the Object type in JavaScript**. This means that if you are able to pollute the Object type **each JavaScript object of the environment is going to be polluted!**
@ -155,7 +155,7 @@ Imagine that we have a prototype pollution that makes it possible to set `Object
For example, `obj[a][b] = value`. If the attacker can control the value of `a` and `value`, then he only needs to adjust the value of `a`to `__proto__`(in javascript, `obj["__proto__"]` and `obj.__proto__`are completely equivalent) then property `b` of all existing objects in the application will be assigned to `value`. For example, `obj[a][b] = value`. If the attacker can control the value of `a` and `value`, then he only needs to adjust the value of `a`to `__proto__`(in javascript, `obj["__proto__"]` and `obj.__proto__`are completely equivalent) then property `b` of all existing objects in the application will be assigned to `value`.
However, the attack is not as simple as the one above, according to [paper](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf), we can only attack when one of the following three conditions is met: However, the attack is not as simple as the one above, according to [paper](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript\_prototype\_pollution\_attack\_in\_NodeJS.pdf), we can only attack when one of the following three conditions is met:
* Perform recursive merge * Perform recursive merge
* Property definition by path * Property definition by path
@ -516,10 +516,9 @@ requests.get(TARGET_URL)
## Client-side prototype pollution to XSS ## Client-side prototype pollution to XSS
* [https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#prototype-pollution](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#prototype-pollution) {% content-ref url="client-side-prototype-pollution.md" %}
* [https://github.com/BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution) [client-side-prototype-pollution.md](client-side-prototype-pollution.md)
{% endcontent-ref %}
You can also use the tool [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0) to try to find this kind of vulnerabilities.
## What can I do to prevent? ## What can I do to prevent?

View file

@ -0,0 +1,46 @@
# Client Side Prototype Pollution
## Discovering using Automatic tools
The tools [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0) and [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap)** **can be used to find prototype pollution vulnerabilities. And there is an easy way to once they found the vulnerabilities **discover where is the vulnerable code**:
* Using one of the tools **find a vulnerability** and get a **payload** that will **set a property** in the constructor. In ppmap you will be given something like: `constructor[prototype][ppmap]=reserved`
* Now, set a **breakpoint in the first line of JS code** that is going to be executed in the page, and refresh the page with the payload so the **execution is paused there**.
* While the JS execution is paused **paste the following script in the JS console**. This code will indicate once the property 'ppmap' is created, so you will be able to find where it was created.
```javascript
function debugAccess(obj, prop, debugGet){
var origValue = obj[prop];
Object.defineProperty(obj, prop, {
get: function () {
if ( debugGet )
debugger;
return origValue;
},
set: function(val) {
debugger;
return origValue = val;
}
});
};
debugAccess(Object.prototype, 'ppmap')
```
### Finding the root cause of Prototype Pollution <a href="5530" id="5530"></a>
Go back to **Sources** and click “Resume script execution”. After you do that, the whole javascript will be executed and ppmap will be polluted again as expected. With the help of the Snippet we can find where exactly the ppmap property is polluted. We can click on the Call Stack and you will face different stacks where the pollution happened.
But which one to choose? Most of the time Prototype Pollution happens on Javascript libraries, so aim for the stack which is attached to the .js library files (look at the right side just like in the image to know which endpoint the stack is attached to). In this case we have 2 stacks on line 4 and 6, logically we will choose the 4th line because that line is the first time where Pollution happens, which mean that this line is the reason of the vulnerability. Clicking on the stack will redirect us to the vulnerable code.
![](https://miro.medium.com/max/1400/1\*S8NBOl1a7f1zhJxlh-6g4w.jpeg)
This trick was taken from [https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746](https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746) for access it for more information.
## Recompilation of payloads for vulnerable libraries
* [https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#prototype-pollution](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#prototype-pollution)
* [https://github.com/BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution)

View file

@ -112,7 +112,7 @@ setTimeout(function(){w.postMessage('text here','*');}, 2000);
In scenarios where the data sent through `postMessage` is executed by JS, you can **iframe **the **page **and **exploit **the **prototype pollution/XSS **sending the exploit via `postMessage`. In scenarios where the data sent through `postMessage` is executed by JS, you can **iframe **the **page **and **exploit **the **prototype pollution/XSS **sending the exploit via `postMessage`.
A couple of **very good explained XSS though `postMessage`** can be found in [https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage\_2.html) A couple of **very good explained XSS though `postMessage`** can be found in [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html)
Example of an exploit to abuse** Prototype Pollution and then XSS** through a `postMessage` to an `iframe`: Example of an exploit to abuse** Prototype Pollution and then XSS** through a `postMessage` to an `iframe`:
@ -134,11 +134,11 @@ Example of an exploit to abuse** Prototype Pollution and then XSS** through a `p
For **more information**: For **more information**:
* Link to page about [**prototype pollution**](deserialization/nodejs-proto-prototype-pollution.md)**** * Link to page about [**prototype pollution**](deserialization/nodejs-proto-prototype-pollution/)****
* Link to page about [**XSS**](xss-cross-site-scripting/)**** * Link to page about [**XSS**](xss-cross-site-scripting/)****
* Link to page about [**client side prototype pollution to XSS**](deserialization/nodejs-proto-prototype-pollution.md#client-side-prototype-pollution-to-xss)**** * Link to page about [**client side prototype pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)****
## References ## References
* [https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage\_2.html) * [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html)
* [https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd](https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd) * [https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd](https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd)

View file

@ -33,7 +33,7 @@ If the introduced data may somehow being reflected in the response, the page mig
* [ ] ****[**Dangling Markup**](dangling-markup-html-scriptless-injection.md)**** * [ ] ****[**Dangling Markup**](dangling-markup-html-scriptless-injection.md)****
* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)**** * [ ] [**File Inclusion/Path Traversal**](file-inclusion/)****
* [ ] [**Open Redirect**](open-redirect.md)**** * [ ] [**Open Redirect**](open-redirect.md)****
* [ ] ****[**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution.md#client-side-prototype-pollution-to-xss)**** * [ ] ****[**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)****
* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)**** * [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)****
* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery.md)**** * [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery.md)****
* [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)**** * [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)****