Spain
Portugal
From Prototype Pollution to RCE on ZeroNight X
As part of this article, we will look at the vulnerability of Prototype Pollution on the client and AST-injection on the server and what their joint operation can lead to, as well as how they were embedded for training in the “Hack To Be Hired” competition on ZeroNights X from the Digital Security Academy.
The story began with the fact that at the next audit I discovered a vulnerability with an interesting name for me then - Prototype Pollution. In general, I understood that this vulnerability is related to the prototype in jаvascript, since I have not seen this word and the prototype itself in other programming languages either. But what exactly is going wrong with it, and how the contamination of our prototype occurs in general, remained a mystery for me, which I wanted to solve.
For myself, I decided to answer a few basic questions:
Why does this vulnerability have a high security rating?
What exactly is going wrong in vulnerable apps?
Can we get to remote code execution?
Application Security Risk Rating
So why does this vulnerability have a high risk rating?
It's simple, there is a general rating system for vulnerable applications, I used CVSS 3.0 version and there is a calculator for self-assessment of risk. The rating itself consists of 8 main parameters, the combination of which calculates the risk of our application from 0.0 to 10.0, from less to greater risk, respectively. Since we have a network attack vector, the complexity of operation is small and the availability is high, so we get a HIGH rating of 7.3 and higher for some very popular vulnerable applications:
For myself, I decided to answer a few basic questions:
Why does this vulnerability have a high security rating?
What exactly is going wrong in vulnerable apps?
Can we get to remote code execution?
Application Security Risk Rating
So why does this vulnerability have a high risk rating?
It's simple, there is a general rating system for vulnerable applications, I used CVSS 3.0 version and there is a calculator for self-assessment of risk. The rating itself consists of 8 main parameters, the combination of which calculates the risk of our application from 0.0 to 10.0, from less to greater risk, respectively. Since we have a network attack vector, the complexity of operation is small and the availability is high, so we get a HIGH rating of 7.3 and higher for some very popular vulnerable applications:
