DOM XSS via client-side prototype pollution
This lab is vulnerable to DOM XSS via client-side prototype pollution.
Reproduction and proof of concept
Find a prototype pollution source
In browser, try polluting the
Object.prototypeby injecting an arbitrary property via the query string:
Open the browser DevTools panel and go to the Console tab.
Study the properties of the returned object. Observe that it now has a
fooproperty with the value bar. You’ve successfully found a prototype pollution source.
Identify a gadget
In the browser DevTools panel, go to the Sources tab.
searchLogger.js, notice that if the config object has a
transport_urlproperty, this is used to dynamically append a script to the DOM.
Notice that no
transport_urlproperty is defined for the
configobject. This is a potential gadget for controlling the
Craft an exploit
Using the prototype pollution source you identified earlier, try injecting an arbitrary
In the browser DevTools panel, go to the Elements tab and study the HTML content of the page. Observe that a
scriptelement has been rendered on the page, with the
Modify the payload in the URL to inject an XSS proof-of-concept. For example, you can use a
Observe that the
alert(1)is called and the lab is solved.
An attacker will need to find a source that can be used to add arbitrary properties to the global
This lab can be solved manually in a browser, or by using DOM Invader.