Open cee-chen opened 4 years ago
FYI, doing Object.create(null)
isn't enough as there are other ways to get at the Object.prototype. jQuery fixed this by preventing any __proto__
key part.
For example, here are other vulnerable query strings:
foo[0]=bar&foo[__proto__][__proto__][test]=polluted
foo=bar&foo=baz&foo[__proto__][__proto__][test]=polluted
foo=bar&foo[__proto__][__proto__][test]=polluted
Hi there,
Unfortunately in https://github.com/cowboy/jquery-bbq/blob/master/jquery.ba-bbq.min.js the prototype pollution is still there and can be launched from the client side (different from the above case which seems to be launched from the server side).
Just check the codes "R=R[S]=P<Q?R[S]||(U[P+1]&&isNaN(U[P+1])?{}:[]):M" in that file. Object.prototype is polluted when some website vulnerable.com is using this library and someone visits https://vulnerable.com/?__proto__[Key]=pollute. Hopefully you can patch that line of code.
Actually I have discovered 6 real-world websites that are using this library and hence having this vulnerability. But I'm not going to disclose them here for the sake of their security. Thanks!
hello, i already reflected this xss on the client website, Object.prototype.div=['1',''] $('
') when i use this snippet in browser console it popup a screen "1" . now it create self xss, i need to draft the code to exploit user upon click. BugBountyTIP.Appearantly a CVE was already created for this in 2021: https://www.cve.org/CVERecord?id=CVE-2021-20086
π I know this repo is probably no longer maintained - I'm opening this issue for others out there on the internet who still might be using
$.deparam
and care about this sort of thing. You can grab the fix in my PR here: #61To be clear also: If you care about security/prototype pollution and using jQuery BBQ, you should be on jQuery 3.4.0+ (and using one of the open PRs to enable jQuery 3 compatibility, e.g. #48 or #42). Otherwise you'll still be vulnerable to pollution via
$.extend
.If you're continuing to use jQuery BBQ in production, I recommend maintaining your own fork with #48 and #61 merged/cherry-picked. You'll have to uglify/compress your own final output, but there are online YUI compressors you can easily use.
Reproducing
To see the prototype pollution in action:
({}).test
. Note that it now outputs "polluted".Why does it matter?
Check the following more malicious examples:
.hasOwnProperty
for every single obj instance on the page.eval({}.test)
in your console - this is a potential XSS vector for sites that eval() on user parameters (hopefully none or very few).Further reading on prototype pollution: