[Nulled] » Information security » From Prototype Pollution to RCE on ZeroNight X
March 13 2022

From Prototype Pollution to RCE on ZeroNight X

From Prototype Pollution to RCE on ZeroNight X
As part of this article, we will look at the vulnerability of Prototype Pollution on the client and AST-injection on the server and what their joint operation can lead to, as well as how they were embedded for training in the “Hack To Be Hired” competition on ZeroNights X from the Digital Security Academy.
The story began with the fact that at the next audit I discovered a vulnerability with an interesting name for me then - Prototype Pollution. In general, I understood that this vulnerability is related to the prototype in jаvascript, since I have not seen this word and the prototype itself in other programming languages either. But what exactly is going wrong with it, and how the contamination of our prototype occurs in general, remained a mystery for me, which I wanted to solve.
For myself, I decided to answer a few basic questions:

Why does this vulnerability have a high security rating?
What exactly is going wrong in vulnerable apps?
Can we get to remote code execution?
Application Security Risk Rating
So why does this vulnerability have a high risk rating?

It's simple, there is a general rating system for vulnerable applications, I used CVSS 3.0 version and there is a calculator for self-assessment of risk. The rating itself consists of 8 main parameters, the combination of which calculates the risk of our application from 0.0 to 10.0, from less to greater risk, respectively. Since we have a network attack vector, the complexity of operation is small and the availability is high, so we get a HIGH rating of 7.3 and higher for some very popular vulnerable applications:
For myself, I decided to answer a few basic questions:

Why does this vulnerability have a high security rating?
What exactly is going wrong in vulnerable apps?
Can we get to remote code execution?
Application Security Risk Rating
So why does this vulnerability have a high risk rating?

It's simple, there is a general rating system for vulnerable applications, I used CVSS 3.0 version and there is a calculator for self-assessment of risk. The rating itself consists of 8 main parameters, the combination of which calculates the risk of our application from 0.0 to 10.0, from less to greater risk, respectively. Since we have a network attack vector, the complexity of operation is small and the availability is high, so we get a HIGH rating of 7.3 and higher for some very popular vulnerable applications:

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: hackweb
  • Date of publication: 13 March 2022 13:24
  • Publication category(s): Information security
  • Number of views of the publication: 308
  • Number of comments to the publication: 0

Related News

23 February 2022
Programming
Lua Programming Language

Lua Programming language Wikipedia A scripting programming language developed in the Tecgraf division of the

Read more
24 February 2022
Programming»,Hacking
How to become a hacker:

Hacking is the search for vulnerabilities in a network or computer in order to gain access. Becoming a hacker is

Read more
20 February 2022
Programming»,Node.js
Node.js

A software platform based on the V8 engine that transforms jаvascript from a highly specialized language into a

Read more
20 February 2022
Programming»,Crystal
Crystal programming

Crystal Programming language Wikipedia An object-oriented general-purpose programming language designed and

Read more
13 March 2022
Information security
Is clean and secure code

Is clean and secure code a myth or a reality? Each programming language is designed with different operating

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    December 2024    »
MonTueWedThuFriSatSun
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +5 Total articles 6749
  • +15 Comments 4218
  • +22 Users : 6011