Skip to content

JavaScript prototype pollution & Object properties #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
radex wants to merge 1 commit into
base: master
Choose a base branch
from
Open

JavaScript prototype pollution & Object properties #215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion blns.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
"TRUE",
"FALSE",
"None",
"hasOwnProperty",
"then",
"\\",
"\\\\",
Expand Down Expand Up @@ -451,6 +450,21 @@
"Kernel.exec(\"ls -al /\")",
"Kernel.exit(1)",
"%x('ls -al /')",
"__proto__",
"constructor",
"prototype",
"__defineGetter__",
"__defineSetter__",
"__lookupGetter__",
"__lookupSetter__",
"hasOwnProperty",
"isPrototypeOf",
"propertyIsEnumerable",
"toLocaleString",
"toString",
"valueOf",
"{\"__proto__\":{\"isAdmin\":true,\"data\":\"\",\"list\":\"\",\"items\":\"\",\"attributes\":\"\",\"foo\":{},\"url\":\"javascript:alert('pwned')\"}}",
"{\"constructor\":{\"prototype\":{\"isAdmin\":true,\"data\":\"\",\"list\":\"\",\"items\":\"\",\"attributes\":\"\",\"foo\":{},\"url\":\"javascript:alert('pwned')\"}}}",
"<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>",
"$HOME",
"$ENV{'HOME'}",
Expand Down
27 changes: 25 additions & 2 deletions blns.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,7 @@ False
TRUE
FALSE
None
hasOwnProperty
then
constructor
\
\\

Expand Down Expand Up @@ -617,6 +615,31 @@ Kernel.exec("ls -al /")
Kernel.exit(1)
%x('ls -al /')

# JavaScript Object properties
#
# Names of Object properties - badly written programs will return a truthy value when looking up those keys using square brackets syntax instead of hasOwnProperty

__proto__
constructor
prototype
__defineGetter__
__defineSetter__
__lookupGetter__
__lookupSetter__
hasOwnProperty
isPrototypeOf
propertyIsEnumerable
toLocaleString
toString
valueOf

# JavaScript prototype pollution
#
# Strings that may cause Object prototype to be polluted

{"__proto__":{"isAdmin":true,"data":"","list":"","items":"","attributes":"","foo":{},"url":"javascript:alert('pwned')"}}
{"constructor":{"prototype":{"isAdmin":true,"data":"","list":"","items":"","attributes":"","foo":{},"url":"javascript:alert('pwned')"}}}

# XXE Injection (XML)
#
# String which can reveal system files when parsed by a badly configured XML parser
Expand Down