Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- Prototype pollution is about poisoning the main JavaScript object to overwrite variables or functions that will then be inherited by other objects later. This vulnerability is in Gitlabs Mermaid, which is there custom markdown language.
- When creating a diagram in Mermaid, JSON can be specified in the initialization process. This JSON is then merged or copied in some way (does not say explicitly), which creates a prototype pollution vulnerability.
- In order to exploit this, they specify a field called
templatewith JavaScript. Later on, this input gets executed when clicking on the search bar. XSS! - The author of this had an additional prototype pollution is Gitlab as well. In this article, they mention the cause: "Behind the scenes, library takes JSON_OBJECT from directive and merges it with config object. Later that config is used to generate new CSS rules..."
- The solution for this is a denylist of attributes being written that contains
__proto__and a few other items. I hate this solution; if another way is found to reference prototype, then it's a large list of findings.
