Privilege escalation via server-side prototype pollution

This lab is built on Node.js and the Express framework. It is vulnerable to server-side prototype pollution because it unsafely merges user-controllable input into a server-side JavaScript object. This is simple to detect because any polluted properties inherited via the prototype chain are visible in an HTTP response.

Reproduction and PoCs

Study the address change feature

  1. Log in and visit your account page. Submit the form for updating your billing and delivery address.

  2. In Burp, go to the Proxy -> HTTP history tab and find the POST /my-account/change-address request.

  3. When submitting the form, the data from the fields is sent to the server as JSON. The server responds with a JSON object that appears to represent your user. This has been updated to reflect the new address information.

  4. Send the request to Burp Repeater.

Identify a prototype pollution source

  1. In Repeater, add a new property to the JSON with the name __proto__, containing an object with an arbitrary property:

"__proto__": {
    "foo":"bar"
}

  1. Send the request.

  2. Notice that the object in the response now includes the arbitrary property that you injected, but no __proto__ property. This strongly suggests that you have successfully polluted the object’s prototype and that your property has been inherited via the prototype chain.

Prototype pollution

Identify a gadget

  1. Look at the additional properties in the response body.

  2. Notice the isAdmin property, which is currently set to false.

Craft an exploit

  1. Modify the request to try polluting the prototype with your own isAdmin property:

"__proto__": {
    "isAdmin":true
}

Prototype pollution

  1. Send the request. Notice that the isAdmin value in the response has been updated. This suggests that the object doesn’t have its own isAdmin property, but has instead inherited it from the polluted prototype.

  2. In the browser, refresh the page and confirm that you now have a link to access the admin panel.

  3. Go to the admin panel and delete the user carlos to solve the lab.

Prototype pollution

Exploitability

An attacker will need to find a prototype pollution source that can be used to add arbitrary properties to the global Object.prototype; identify a gadget property that can be used to escalate privileges; then access the admin panel and delete the user carlos.