'A tale of making internet pollution free' - Exploiting Client | PT SWARM

"A tale of making internet pollution free" - Exploiting Client-Side Prototype Pollution in the wild
by Mohan Sri Rama Krishna P, Sergey Bobrov, Terjanq, Beomjin Lee, Masato Kinugawa, Nikita Stupin, Rahul Maini, Harsh Jaiswal, Mikhail Egorov, Melar Dev, Michał Bentkowski, Filedescriptor, Olivier, William Bowling, Ian Bouchard

In JavaScript, an object inherits methods and properties from its prototype. Prototype Pollution it’s the situation when extra properties are added to a prototype of base
objects. Based on the application logic, prototype pollution leads to other vulnerabilities from RCE to SQL. This technical write-up touch the tools researchers are created, challenges they faced, and case studies during the whole process.

Contents:
• Introduction
• Methodology
• Detection
• Case 1
• Selenium Bot
• Browser Extension
• Case 2
• Identifying the vulnerable library
• Blocking the JS resource request in Firefox
• Debugger Breakpoint on setter
• Finding Script Gadgets
• What is a script gadget?
• Keyword search and Source Code Review
• Filedescriptor’s untrusted-types extension
• Report
• Store vulnerable libraries and gadgets in database
• Case Studies
• Case Study 1: CodeQL for fun and profit
• Case Study 2: Prototype Pollution on Jira Service Management 4.16.0, <4.18.0(fix bypass)
• Case Study 3: XSS on apple.com found using chrome extension by Rahul and Harsh
• Case Study 4: HubSpot Analytics
• Case Study 5: Segment Analytics Pollution by Masato Kinugawa
• Mitigations

https://blog.s1r1us.ninja/research/PP