Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@Serhatcck

Serhatcck/client-side-prototype-pollution.html

Last active March 5, 2023 21:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Serhatcck/771e1372c7ef48bac5e906acebb28ea5 to your computer and use it in GitHub Desktop.
Save Serhatcck/771e1372c7ef48bac5e906acebb28ea5 to your computer and use it in GitHub Desktop.
Download ZIP
Client Side Prototype Pollution Challenge
Raw
client-side-prototype-pollution.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Prototype Pollution</title>
<style>
table,
th,
td {
border: 1px solid black;
}
#result{
width: 50%;
height: 250px;
}
table{
width: 100%;
height: 100%;
}
</style>
</head>
<body>
<form>
<h1>Submit Form</h1>
<label>Value 1</label>
<input name="value[0]">
<label>Value 2</label>
<input name="value[1]">
<label>Value 3</label>
<input name="value[2]">
<label>Value 4</label>
<input name="value[3]">
<button type="submit">Submit Form</button>
</form>
<br>
<div id="result">
</div>
<br>
<div id="script">
</div>
<script>
function resultArrayFromURL() {
var resultArray = {};
//URL decode GET parameters
var url = decodeURIComponent(window.location.search);
//"GET Parameters" are parsed according to "? - &" characters
var params = url.split("?")[1].split('&');
//loops for all parameters
params.forEach(param => {
//"=" get previous expression example: value[0]=demo => arrayKeyIndex = value[0] / paramValue = demo
arrayKeyIndex = param.split("=")[0]
paramValue = param.split("=")[1]
//if arrayKeyIndex is array
var regex = new RegExp("\\[.*?\\]");
if (regex.exec(arrayKeyIndex)) {
//get key from arrayKeyIndex example: value[0] => key = value / index = 0
var key = arrayKeyIndex.split('[')[0]
var index = arrayKeyIndex.split('[')[1].split(']')[0]
//If a value was previously assigned according to the key value
if (Object.prototype.toString.call(resultArray[key]) === '[object Array]') {
//push paramValue to resultArray[key]
resultArray[key].push(paramValue);
} else {
//else create temponary array
var tmp = [];
//add key value in array example: tmp[index] = paramValue => tmp[0] = demo
tmp[index] = paramValue;
//add tmp resultArray[key] example: resultArray[value] = tmp
resultArray[key] = tmp;
}
}
})
return resultArray;
}
function createTable(array) {
//create table element
var table = document.createElement("table");
//create table thead
var thead = document.createElement("thead");
var th1 = document.createElement("th");
th1.textContent = "Parameter Name"
var th2 = document.createElement("th");
th2.textContent = "Parameter Value"
thead.appendChild(th1);
thead.appendChild(th2);
//add th to thead element
//create tbody element
var tbody = document.createElement("tbody");
//for all parent keys in array example: array = {"value":{[ 0 => "demo"], [1 => "demo2"]}}
for (parentKey in array) {
//parentKey is "value" and all sub key
for (index in array[parentKey]) {
//array[parentKey][index] is array["value"][0] and this equal demo
var tr = document.createElement("tr");
var td1 = document.createElement("td")
td1.textContent = parentKey
var td2 = document.createElement("td")
td2.textContent = array[parentKey][index]
tr.appendChild(td1)
tr.appendChild(td2)
tbody.appendChild(tr)
}
}
table.appendChild(thead)
table.appendChild(tbody)
return table
}
var params = resultArrayFromURL();
document.getElementById("result").appendChild(createTable(params));
if(params.script){
document.getElementById("script").innerHTML = eval(params.script)
}
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment