Privilege escalation via server-side prototype pollution
This lab is built on Node.js
and the Express
framework. It is vulnerable to server-side prototype pollution because it unsafely merges user-controllable input into a server-side JavaScript object. This is simple to detect because any polluted properties inherited via the prototype chain are visible in an HTTP response.
Reproduction and PoCs
Study the address change feature
Log in and visit your account page. Submit the form for updating your billing and delivery address.
In Burp, go to the Proxy -> HTTP history tab and find the
POST /my-account/change-address
request.When submitting the form, the data from the fields is sent to the server as JSON. The server responds with a JSON object that appears to represent your user. This has been updated to reflect the new address information.
Send the request to Burp Repeater.
Identify a prototype pollution source
In Repeater, add a new property to the JSON with the name
__proto__
, containing an object with an arbitrary property:
"__proto__": {
"foo":"bar"
}
Send the request.
Notice that the object in the response now includes the arbitrary property that you injected, but no
__proto__
property. This strongly suggests that you have successfully polluted the object’s prototype and that your property has been inherited via the prototype chain.
Identify a gadget
Look at the additional properties in the response body.
Notice the
isAdmin
property, which is currently set to false.
Craft an exploit
Modify the request to try polluting the prototype with your own
isAdmin
property:
"__proto__": {
"isAdmin":true
}
Send the request. Notice that the
isAdmin
value in the response has been updated. This suggests that the object doesn’t have its ownisAdmin
property, but has instead inherited it from the polluted prototype.In the browser, refresh the page and confirm that you now have a link to access the admin panel.
Go to the admin panel and delete the user carlos to solve the lab.
Exploitability
An attacker will need to find a prototype pollution source that can be used to add arbitrary properties to the global Object.prototype
; identify a gadget property that can be used to escalate privileges; then access the admin panel and delete the user carlos.