the objects created in the application through prototype chain. • If Object.prototype is tampered by the malicious user somehow then all the objects in the applications will have access to the tampered property.
sites which has vulnerable location parsing either via query value or hash value in the URL. - Advantage: - Scalable - Disadvantage: - Only finds vulnerable location parsing - We can’t scan Authenticated Pages
which leads to pollution we need to do static analysis. - Used CodeQL. - Advantage: Can find all sources and sinks which leads to prototype pollution. - Disadvantage: Not scalable.
a piece of code in the application which can be triggered via prototype pollution and can be used to upgrade prototype pollution to XSS. - Hard and Interesting part after detection. - Need to find the gadget most of the time. - If you are lucky, pollute.js and untrusted-types can quickly find one. - Idea: I think it can be automated with CodeQL
top pages of Google, FB, and some private programs. • Created a database with CodeQL. codeql database create --language=javascript --source-root database vulnerable_db / • Run the Query on DB codeql query run --database=./vulnerable_db ../pp-automation/learn.ql
sealing, or Object.create(null) is not enough ◦ For how not to fix you should definitely check BlackFan’s talk and pugpug challenge in Bsides Ahmedabad CTF.