maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-web/deserialization/nodejs-proto-prototype-p

Browse Source
This commit is contained in:
Translator 2025-08-04 16:14:51 +00:00
parent bb72cd264c
commit 5fee66d601
1 changed files with 78 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md
View File

@ -1,12 +1,12 @@
# Uchafuzi wa Prototype upande wa Mteja
# Client Side Prototype Pollution
{{#include ../../../banners/hacktricks-training.md}}
## Kugundua kwa kutumia Zana za Kiotomatiki
Zana [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0)**,** [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap) **na** [**https://github.com/kosmosec/proto-find**](https://github.com/kosmosec/proto-find) zinaweza kutumika **kupata udhaifu wa uchafuzi wa prototype**.
Zana [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0)**,** [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap) **na** [**https://github.com/kosmosec/proto-find**](https://github.com/kosmosec/proto-find) zinaweza kutumika **kupata udhaifu wa prototype pollution**.
Zaidi ya hayo, unaweza pia kutumia **nyongeza ya kivinjari** [**PPScan**](https://github.com/msrkp/PPScan) **ku** **scan** **kiotomatiki** **kurasa** unazofikia kwa udhaifu wa uchafuzi wa prototype.
Zaidi ya hayo, unaweza pia kutumia **nyongeza ya kivinjari** [**PPScan**](https://github.com/msrkp/PPScan) ili **kuangalia** **kiotomatiki** **kurasa** unazofikia kwa udhaifu wa prototype pollution.
### Kurekebisha mahali ambapo mali inatumika <a href="#id-5530" id="id-5530"></a>
```javascript
@ -23,11 +23,11 @@ return "test"
Mara tu udhaifu wa prototype pollution unapogundulika na zana yoyote, na ikiwa msimbo si mgumu kupita kiasi, unaweza kupata udhaifu kwa kutafuta maneno muhimu kama `location.hash`, `decodeURIComponent`, au `location.search` katika Chrome Developer Tools. Njia hii inakuwezesha kubaini sehemu iliyo hatarini ya msimbo wa JavaScript.
Kwa misimbo mikubwa na ngumu zaidi, njia rahisi ya kugundua msimbo ulio hatarini inajumuisha hatua zifuatazo:
Kwa misimbo mikubwa na ngumu zaidi, njia rahisi ya kugundua msimbo hatarini inajumuisha hatua zifuatazo:
1. Tumia zana kubaini udhaifu na kupata payload iliyoundwa kuweka mali katika mjenzi. Mfano uliopewa na ppmap unaweza kuonekana kama: `constructor[prototype][ppmap]=reserved`.
1. Tumia zana ili kubaini udhaifu na kupata payload iliyoundwa kuweka mali katika mjenzi. Mfano uliopewa na ppmap unaweza kuonekana kama: `constructor[prototype][ppmap]=reserved`.
2. Weka breakpoint kwenye mstari wa kwanza wa msimbo wa JavaScript utakaotekelezwa kwenye ukurasa. Fanya upya ukurasa na payload, ukisimamisha utekelezaji kwenye breakpoint hii.
3. Wakati utekelezaji wa JavaScript umesimamishwa, tekeleza script ifuatayo katika JS console. Script hii itatoa ishara wakati mali ya 'ppmap' inaundwa, kusaidia katika kutafuta asili yake:
3. Wakati utekelezaji wa JavaScript umesimamishwa, tekeleza script ifuatayo katika JS console. Script hii itatoa ishara wakati mali ya 'ppmap' inaundwa, ikisaidia katika kutafuta chanzo chake:
```javascript
function debugAccess(obj, prop, debugGet = true) {
var origValue = obj[prop]
@ -46,9 +46,9 @@ origValue = val
debugAccess(Object.prototype, "ppmap")
```
4. Rudi kwenye tab ya **Sources** na uchague "Resume script execution". JavaScript itaendelea kutekelezwa, na mali ya 'ppmap' itachafuka kama inavyotarajiwa. Kutumia kipande kilichotolewa husaidia kutambua mahali halisi ambapo mali ya 'ppmap' inachafuka. Kwa kuchunguza **Call Stack**, stacks tofauti ambapo uchafuzi ulitokea zinaweza kuonekana.
4. Rudi kwenye tab ya **Sources** na uchague “Resume script execution”. JavaScript itaendelea kutekelezwa, na mali ya 'ppmap' itachafuka kama inavyotarajiwa. Kutumia kipande kilichotolewa kunasaidia kutambua mahali halisi ambapo mali ya 'ppmap' inachafuka. Kwa kuchunguza **Call Stack**, stacks tofauti ambapo uchafuzi ulitokea zinaweza kuonekana.
Unapofanya maamuzi kuhusu stack ipi uchunguze, mara nyingi ni muhimu kulenga stacks zinazohusiana na faili za maktaba za JavaScript, kwani uchafuzi wa prototype hutokea mara nyingi ndani ya maktaba hizi. Tambua stack husika kwa kuchunguza kiambatisho chake kwa faili za maktaba (inaonekana upande wa kulia, kama picha iliyotolewa kwa mwongozo). Katika hali zenye stacks nyingi, kama zile kwenye mistari 4 na 6, chaguo la mantiki ni stack kwenye mstari wa 4, kwani inawakilisha tukio la awali la uchafuzi na hivyo sababu ya msingi ya udhaifu. Kubofya kwenye stack kutakupeleka kwenye msimbo ulio hatarini.
Unapofanya maamuzi kuhusu stack ipi uchunguze, mara nyingi ni muhimu kulenga stacks zinazohusiana na faili za maktaba za JavaScript, kwani uchafuzi wa prototype hutokea mara nyingi ndani ya maktaba hizi. Tambua stack inayohusiana kwa kuchunguza kiambatisho chake kwa faili za maktaba (inaonekana upande wa kulia, kama picha iliyotolewa kwa mwongozo). Katika hali zenye stacks nyingi, kama zile kwenye mistari 4 na 6, chaguo la busara ni stack kwenye mstari wa 4, kwani inawakilisha tukio la awali la uchafuzi na hivyo sababu ya msingi ya udhaifu. Kubofya kwenye stack kutakupeleka kwenye msimbo ulio hatarini.
![https://miro.medium.com/max/1400/1*S8NBOl1a7f1zhJxlh-6g4w.jpeg](https://miro.medium.com/max/1400/1*S8NBOl1a7f1zhJxlh-6g4w.jpeg)
@ -101,7 +101,76 @@ const node = goog.dom.safeHtmlToNode(sanitized);
document.body.append(node);
</script>
```
## Marejeo
## New Tools & Automation (20232025)
* **Burp Suite DOM Invader (v2023.6)** PortSwigger iliongeza tab ya *Prototype-pollution* ambayo inabadilisha majina ya vigezo kiotomatiki (e.g. `__proto__`, `constructor.prototype`) na kugundua mali zilizochafuka katika maeneo ya sink ndani ya nyongeza ya kivinjari. Wakati gadget inapoanzishwa, DOM Invader inaonyesha stack ya utekelezaji na mstari halisi ambapo mali iliondolewa, na kufanya uwindaji wa breakpoint wa mikono kuwa wa ziada. Changanya na kipande cha "Break on property access" kilichoonyeshwa hapo juu ili kubadilisha haraka kutoka *source → sink*.
* **protoStalker** nyongeza ya Chrome DevTools ya chanzo wazi (iliyotolewa 2024) ambayo inaonyesha minyororo ya prototype kwa wakati halisi na kuashiria maandiko kwa funguo hatari za kimataifa kama vile `onerror`, `innerHTML`, `srcdoc`, `id`, nk. Inafaida unapokuwa na bundle ya uzalishaji tu na huwezi kuingiza hatua ya kujenga.
* **ppfuzz 2.0 (2025)** chombo sasa kinasaidia ES-modules, HTTP/2 na WebSocket endpoints. Hali mpya ya `-A browser` inazindua mfano wa Chromium usio na kichwa na kiotomatiki inataja madarasa ya gadget kwa kubruutuforcing DOM APIs (ona sehemu hapa chini).
---
## Recent Prototype-Pollution Gadget Research (20222025)
Katika katikati ya 2023, watafiti wa PortSwigger walichapisha karatasi ikionyesha kwamba vitu vya *browser-built-in* vinaweza kubadilishwa kuwa gadgets za XSS zinazotegemewa mara tu vinapochafuka. Kwa sababu vitu hivi vinapatikana kwenye **kila** ukurasa, unaweza kupata utekelezaji hata kama msimbo wa programu lengwa hauugusi mali iliyochafuka.
Mfano wa gadget (inafanya kazi katika vivinjari vyote vya evergreen ≥ 2023-04):
```html
<script>
// Source (e.g. https://victim/?__proto__[href]=javascript:alert(document.domain))
// For demo we just pollute manually:
Object.prototype.href = 'javascript:alert(`polluted`)' ;
// Sink URL() constructor implicitly reads `href`
new URL('#'); // breaks into JS; in Chrome you get an alert, Firefox loads "javascript:" URL
</script>
```
Other useful global gadgets that have been confirmed to work after pollution (tested 2024-11):
| Gadget class | Read property | Primitive achieved |
|--------------|---------------|--------------------|
| `Notification` | `title` | `alert()` kupitia bonyeza arifa |
| `Worker` | `name` | Utekelezaji wa JS katika Worker maalum |
| `Image` | `src` | XSS ya jadi `onerror` |
| `URLSearchParams` | `toString` | Upit wa Open Redirect unaotegemea DOM |
Tazama karatasi ya PortSwigger kwa orodha kamili ya gadgets 11 na majadiliano kuhusu kukwepa sanduku.
---
## CVEs za PP za Kihistoria za Client-Side (2023-2025)
* **DOMPurify ≤ 3.0.8 CVE-2024-45801** Mshambuliaji anaweza kuharibu `Node.prototype.after` kabla ya sanitizer kuanzishwa, akiepuka wasifu wa *SAFE_FOR_TEMPLATES* na kusababisha XSS iliyohifadhiwa. Muuzaji alirekebisha kwa kutumia `Object.hasOwn()` checks na `Object.create(null)` kwa ramani za ndani.
* **jQuery 3.6.0-3.6.3 CVE-2023-26136 / CVE-2023-26140** `extend()` inaweza kutumika kwenye vitu vilivyoundwa kutoka `location.hash`, ikileta mali zisizo na mpangilio katika `Object.prototype` katika muktadha wa kivinjari.
* **sanitize-html < 2.8.1 (2023-10) prototype pollution** Orodha ya sifa mbaya kama `{"__proto__":{"innerHTML":"<img/src/onerror=alert(1)>"}}` iliepuka orodha ya ruhusa.
Hata kama maktaba yenye hatari inakaa **tu kwenye mteja**, XSS inayotokana bado inaweza kutumika kwa mbali kupitia vigezo vilivyorejelewa, wakala wa postMessage au data iliyohifadhiwa inayotolewa baadaye.
---
## Hatua za Kisasa za Ulinzi
1. **Funga prototype ya kimataifa mapema** (kimsingi kama script ya kwanza):
```javascript
Object.freeze(Object.prototype);
Object.freeze(Array.prototype);
Object.freeze(Map.prototype);
```
Kumbuka hii inaweza kuvunja polyfills zinazotegemea upanuzi wa baadaye.
2. Tumia `structuredClone()` badala ya `JSON.parse(JSON.stringify(obj))` au vipande vya jamii "deepMerge" inapuuzilia mbali setters/getters na haitatembea kwenye mnyororo wa prototype.
3. Wakati unahitaji kweli kazi ya kuunganisha kwa kina, chagua **lodash ≥ 4.17.22** au **deepmerge ≥ 5.3.0** ambazo zina usafi wa prototype uliojengwa ndani.
4. Ongeza Sera ya Usalama wa Maudhui yenye `script-src 'self'` na nonce kali. Ingawa CSP haitasimamisha gadgets zote (mfano `location` manipulation), inazuia sehemu nyingi za `innerHTML`.
## Marejeleo
- [https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746](https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746)
- [https://blog.s1r1us.ninja/research/PP](https://blog.s1r1us.ninja/research/PP)
- [https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/#:\~:text=my%20challenge.-,Closure,-Closure%20Sanitizer%20has](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/)
- [https://portswigger.net/research/widespread-prototype-pollution-gadgets](https://portswigger.net/research/widespread-prototype-pollution-gadgets)
- [https://snyk.io/blog/dompurify-prototype-pollution-bypass-cve-2024-45801/](https://snyk.io/blog/dompurify-prototype-pollution-bypass-cve-2024-45801/)
- [https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746](https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746)
- [https://blog.s1r1us.ninja/research/PP](https://blog.s1r1us.ninja/research/PP)