Home [Security] Prototype Pollution
Post
Cancel

[Security] Prototype Pollution

ProtoType

Javascript的Object範例

1
2
3
4
5
6
const user={
    username : "albert",
    number   :  5888
}

console.log(typeof(user))  //object

可以用.或是[’‘]取值

1
2
user.username     // "albert"
user['number']    // 5888

可以看到.toString可以轉成字串,但是這個fuction是在哪裡呢?

1
2
const array1 = ["cat","dog"];
console.log(array1.toString());  //"cat,dog"

JS有一個屬性叫做__proto__,他是假如在這個Object找不到,就往上找的位置。

他們的根都是NULL

1
2
3
"".__proto__                        // String.prototype
"".__proto__.__proto__              // Object.prototype
"".__proto__.__proto__.__proto__    // null

Protect

錯誤使用 defineProperty (沒設定value)

1
2
3
4
let user = {username:"admin"};
Object.defineProperty(user,'username', {configurable:false,writable:false} ); //protect
user.username = 'hacker';    //直接修改值
console.log(user.username);  //admin

使用Prototype pollution

1
2
3
4
Object.prototype.value='hacker'; //pollution 
let user = {username:"admin"};
Object.defineProperty(user,'username', {configurable:false,writable:false} ); //protect
console.log(user.username);  //hacker

正確使用

1
2
3
4
5
6
7
8
9
10
11
Object.prototype.value='hacker'; //pollution failed

let user = {};
Object.defineProperty(user, 'username', {
   value: 'admin',
   configurable:false,
   writable:false
})

console.log(user.username)

Ref: https://portswigger.net/research/widespread-prototype-pollution-gadgets

This post is licensed under CC BY 4.0 by the author.
Contents

[CTF] HackerSir 靶機 in HITCON 2023

[Security] Web Settings

Comments powered by Disqus.