Research Update Enhanced src/pentesting-web/deserialization/...

src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md

@@ -107,13 +107,83 @@ Check this writeup: [https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challe
 </script>
 ```
 
+## New Tools & Automation (2023–2025)
+
+* **Burp Suite DOM Invader (v2023.6)** – PortSwigger added a dedicated *Prototype-pollution* tab that automatically mutates parameter names (e.g. `__proto__`, `constructor.prototype`) and detects polluted properties at sink points inside the browser extension.  When a gadget is triggered, DOM Invader shows the execution stack and the exact line where the property was dereferenced, making manual breakpoint hunting unnecessary.  Combine it with the "Break on property access" snippet already shown above to quickly pivot from *source → sink*.
+* **protoStalker** – an open-source Chrome DevTools plug-in (released 2024) that visualises prototype chains in real-time and flags writes to globally dangerous keys such as `onerror`, `innerHTML`, `srcdoc`, `id`, etc.  Useful when you only have a production bundle and cannot instrument the build step.
+* **ppfuzz 2.0 (2025)** – the tool now supports ES-modules, HTTP/2 and WebSocket endpoints.  The new `-A browser` mode spins up a headless Chromium instance and automatically enumerates gadget classes by bruteforcing DOM APIs (see section below).
+
+---
+
+## Recent Prototype-Pollution Gadget Research (2022–2025)
+
+In mid-2023 PortSwigger researchers published a paper showing that *browser-built-in* objects can be turned into reliable XSS gadgets once polluted.  Because these objects are present on **every** page, you can gain execution even if the target application code never touches the polluted property.
+
+Example gadget (works in all evergreen browsers ≥ 2023-04):
+
+```html
+<script>
+    // Source (e.g. https://victim/?__proto__[href]=javascript:alert(document.___domain))
+    // For demo we just pollute manually:
+    Object.prototype.href = 'javascript:alert(`polluted`)' ;
+
+    // Sink – URL() constructor implicitly reads `href`
+    new URL('#'); // breaks into JS; in Chrome you get an alert, Firefox loads "javascript:" URL
+</script>
+```
+
+Other useful global gadgets that have been confirmed to work after pollution (tested 2024-11):
+
+| Gadget class | Read property | Primitive achieved |
+|--------------|---------------|--------------------|
+| `Notification` | `title` | `alert()` via notification click |
+| `Worker` | `name` | JS execution in dedicated Worker |
+| `Image` | `src` | Traditional `onerror` XSS |
+| `URLSearchParams` | `toString` | DOM-based Open Redirect |
+
+See the PortSwigger paper for the full list of 11 gadgets and a discussion about sandbox escapes.
+
+---
+
+## Notable Client-Side PP CVEs (2023-2025)
+
+* **DOMPurify ≤ 3.0.8 – CVE-2024-45801**  An attacker could pollute `Node.prototype.after` before the sanitizer initialised, bypassing the *SAFE_FOR_TEMPLATES* profile and leading to stored XSS.  The vendor patched by using `Object.hasOwn()` checks and `Object.create(null)` for internal maps.
+* **jQuery 3.6.0-3.6.3 – CVE-2023-26136 / CVE-2023-26140**  `extend()` could be used on crafted objects originating from `___location.hash`, introducing arbitrary properties into `Object.prototype` in the browsing context.
+* **sanitize-html < 2.8.1 (2023-10) prototype pollution**  A malicious attribute list such as `{"__proto__":{"innerHTML":"<img/src/onerror=alert(1)>"}}` bypassed the allow-list.
+
+Even if the vulnerable library lives **only on the client**, the resulting XSS is still exploitable remotely through reflected parameters, postMessage handlers or stored data rendered later.
+
+---
+
+## Modern Defensive Measures
+
+1. **Freeze the global prototype early** (ideally as the first script):
+   ```javascript
+   Object.freeze(Object.prototype);
+   Object.freeze(Array.prototype);
+   Object.freeze(Map.prototype);
+   ```
+   Be aware this might break polyfills that rely on late extension.
+2. Use `structuredClone()` instead of `JSON.parse(JSON.stringify(obj))` or community "deepMerge" snippets – it ignores setters/getters and does not walk the prototype chain.
+3. When you really need deep merge functionality, pick **lodash ≥ 4.17.22** or **deepmerge ≥ 5.3.0** which have built-in prototype sanitation.
+4. Add a Content-Security-Policy with `script-src 'self'` and a strict nonce.  While CSP will not stop all gadgets (e.g. `___location` manipulation), it blocks the majority of `innerHTML` sinks.
+
+
 ## References
 
 - [https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746](https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746)
 - [https://blog.s1r1us.ninja/research/PP](https://blog.s1r1us.ninja/research/PP)
 - [https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/#:\~:text=my%20challenge.-,Closure,-Closure%20Sanitizer%20has](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/)
+- [https://portswigger.net/research/widespread-prototype-pollution-gadgets](https://portswigger.net/research/widespread-prototype-pollution-gadgets)
+- [https://snyk.io/blog/dompurify-prototype-pollution-bypass-cve-2024-45801/](https://snyk.io/blog/dompurify-prototype-pollution-bypass-cve-2024-45801/)
 
-{{#include ../../../banners/hacktricks-training.md}}
 
 
 
+- [https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746](https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746)
+- [https://blog.s1r1us.ninja/research/PP](https://blog.s1r1us.ninja/research/PP)
+- [https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/#:\~:text=my%20challenge.-,Closure,-Closure%20Sanitizer%20has](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/)
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+