![]() Thanks to the work done by researchers on a repository maintained by Sergey Bobrov, we created a test page and began reverse engineering prototype pollution attacks using the browser’s debugger until we had figured out exactly what was going on. So, we decided to get hands on with the material in a sandbox setting. ![]() To benefit our own understanding of the vulnerability, we thought it was best to start with a simpler proof of concept, such as an alert window, before moving on to CVE-worthy discoveries. While these publications are impressive, they were a lot to process for our initial exposure to prototype pollution. In 2021 (after we had already been inspired by their work), a team of researchers including Sergey Bobrov and s1r1us made a publication that landed prototype pollution on Portswigger's Top 10 web hacking techniques of the year.Olivier Arteau’s 2018 publicationidentified a litany of NodeJS libraries vulnerable to prototype pollution, including remote code execution in the Ghost CMS content management system.In 2019, Michał Bentkowski discovered a method of exploiting a prototype pollution in the Kibana data visualization utility that made it possible to cause an application server to execute system commands and gain remote command execution.In 2018-2021, there were several articles and papers published regarding prototype pollution that showed significant much of an impact it could have in specific situations: So, we turned to the existing published works on the subject. We’d seen the term used often in the context of vulnerable JavaScript libraries, but didn’t have a solid understanding of what the impacts could be or how they came about. What sets this apart from other attacks, such as “standard” Cross-Site Scripting, is that the impact targets the prototype that other data types will inherit from.īefore embarking on this research, we had heard of prototype pollution but had a difficult time wrapping our heads around it. Depending on the context, this can have impacts ranging from DOM-based Cross Site Scripting to even Remote Code Execution. Prototype pollution is a vulnerability that exploits inheritance behavior in JavaScript to create malicious instances of data types, which in the right conditions, can result in the execution of attacker-supplied code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |