NodeJS - Prototype Pollution
$ sudo docker pull blabla1337/owasp-skf-lab:js-prototype-pollution
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:js-prototype-pollution
Now that the app is running let's go hacking!
Malicious actors can make application-wide changes to all objects by modifying object, hence the name prototype pollution.
Let's open the application, we have a login screen:
Loggin in with user/user.
We see this user has no Admin privileges, also we have a feature to send a message to an admin. Let's use this and check the request
Post request with email and username as expected. We also noticed in the homepage a functionality to create a new user.
Login with the newly created user.
Let's try our prototype pollution payload in the /message route.
To make it easier let's put this payload in a file called evil.json. Now lets use to curl to request the application with evil.json
We get a response back from the server. Let's refresh the page to see if it worked.
Success! We now have a user with admin privileges!
If we create another user we see the new user will also have admin set to True.