Skip to main content

YesWeHack | Dojo #40 - Hacker Profile

·374 words·2 mins
WiZee
Author
WiZee
Infosec student @ ESNA
Table of Contents
CVSS score
Bug type Information Disclosure (CWE-200)
Scope https://dojo-yeswehack.com/challenge-of-the-month/dojo-40
Endpoint /
Vulnerable part Others
Part name /
Payload {"constructor":{"prototype":{"debug":{"active":true,"code":"process.env.FLAG"}}},"throwError":null}
Technical env. /
App. fingerprint /
CVE /
Impact Sensitive Data Exposure
IP used REDACTED

Description
#

This vulnerability is a prototype pollution issue, which occurs when an attacker manipulates JavaScript object prototypes to inject or modify properties. In the context of this challenge, the vulnerability exists within the application’s JSON parsing and object property assignment workflow. The application improperly handles JSON input, allowing attackers to modify internal configuration objects and execute arbitrary code. Exploitation

The exploitation involves manipulating the JavaScript prototype chain to enable debug mode and execute arbitrary code on the server. The steps are:

  • Polluting the prototype via constructor.prototype: A malicious payload can inject properties into the prototype so that appConfig.debug becomes {active: true, code: "process.env.FLAG"}.
  • Triggering a runtime error: The application loops over each key in the user object and calls methods like user[key].toString() or user[key].toLocaleString(). By setting a property to null (e.g., "throwError": null), the code attempts null.toString(), raises a TypeError, and enters the catch block.
  • Leaking sensitive data: In the catch block, if appConfig.debug.active is true, the application runs eval(appConfig.debug.code), revealing the environment variable FLAG.

PoC
#

Key steps:

  1. Pollute the object’s prototype to set debug.active = true and debug.code = "process.env.FLAG".
  2. Force an error by creating a new property (e.g., "throwError": null) so that calling .toString() on null causes a TypeError.
  3. Catch block execution: The error triggers the catch, which executes eval("process.env.FLAG"), printing the flag.

Payload used:

{"constructor":{"prototype":{"debug":{"active":true,"code":"process.env.FLAG"}}},"throwError":null}

Flag obtained:

FLAG{$m4ll_m1st4ke_t0_rcE!}

Risk
#

The risks associated with this vulnerability include:

  • Sensitive information disclosure: Attackers can access environment variables or secrets stored on the server.
  • Remote code execution: Potential execution of arbitrary code, leading to complete system compromise.
  • Reputation damage: Loss of user trust and damage to company reputation due to compromised security.

Remediation
#

To remediate this vulnerability, you should implement the following measures:

  • Avoid direct usage of user-controlled objects without proper sanitization.
  • Use safe object merging libraries or functions that ignore prototype-polluting keys.
  • Explicitly prevent the modification of critical objects by using methods such as Object.freeze() or defining properties with Object.defineProperty().
  • Disable or strictly control the usage of eval() in production code to prevent arbitrary code execution.
Reply by Email