Descripción
This lab is vulnerable to DOM XSS via client-side prototype pollution. This is due to a gadget in a third-party library, which is easy to miss due to the minified source code. Although it’s technically possible to solve this lab manually, we recommend using DOM Invader as this will save you a considerable amount of time and effort.
To solve the lab:
- Use DOM Invader to identify a prototype pollution and a gadget for DOM XSS.
- Use the provided exploit server to deliver a payload to the victim that calls
alert(document.cookie)in their browser.
This lab is based on real-world vulnerabilities discovered by PortSwigger Research. For more details, check out Widespread prototype pollution gadgets by Gareth Heyes.
Client-side prototype pollution in third-party libraries writeup
Accedemos al laboratorio y pulsamos Click derecho-> Inspeccionar -> DOM Invader. Actualizamos la página y vemos los siguientes resultados:
Escanearemos el primero. Al finalizar nos dará el siguiente resultado:
Al pulsar ‘Exploit’, nos insertará en la URL automáticamente el código necesario para provocar un alert():
Ahora tenemos que modificar la URL para que el alert en vez de mostrar un 1 muestre la cookie de sesión de la víctima. Para ello crearemos el siguiente script:
<script>
location= "https://0a14005404c05391826353e300220044.web-security-academy.net/#__proto__[hitCallback]=alert%28document.cookie%29"
</script>Completando así el laboratorio:
