From 8346238a82f1e3a6f62389def1e668d80e4023fb Mon Sep 17 00:00:00 2001
From: radex <radexpl@gmail.com>
Date: Tue, 26 May 2020 08:45:07 +0200
Subject: [PATCH] JavaScript Object properties & prototype pollution

---
 blns.json | 16 +++++++++++++++-
 blns.txt  | 27 +++++++++++++++++++++++++--
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/blns.json b/blns.json
index bfb195f..851b404 100644
--- a/blns.json
+++ b/blns.json
@@ -14,7 +14,6 @@
   "TRUE", 
   "FALSE", 
   "None", 
-  "hasOwnProperty", 
   "then", 
   "\\", 
   "\\\\", 
@@ -451,6 +450,21 @@
   "Kernel.exec(\"ls -al /\")", 
   "Kernel.exit(1)", 
   "%x('ls -al /')", 
+  "__proto__", 
+  "constructor", 
+  "prototype", 
+  "__defineGetter__", 
+  "__defineSetter__", 
+  "__lookupGetter__", 
+  "__lookupSetter__", 
+  "hasOwnProperty", 
+  "isPrototypeOf", 
+  "propertyIsEnumerable", 
+  "toLocaleString", 
+  "toString", 
+  "valueOf", 
+  "{\"__proto__\":{\"isAdmin\":true,\"data\":\"\",\"list\":\"\",\"items\":\"\",\"attributes\":\"\",\"foo\":{},\"url\":\"javascript:alert('pwned')\"}}", 
+  "{\"constructor\":{\"prototype\":{\"isAdmin\":true,\"data\":\"\",\"list\":\"\",\"items\":\"\",\"attributes\":\"\",\"foo\":{},\"url\":\"javascript:alert('pwned')\"}}}", 
   "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]><foo>&xxe;</foo>", 
   "$HOME", 
   "$ENV{'HOME'}", 
diff --git a/blns.txt b/blns.txt
index e9c16d8..ea8c7a2 100644
--- a/blns.txt
+++ b/blns.txt
@@ -16,9 +16,7 @@ False
 TRUE
 FALSE
 None
-hasOwnProperty
 then
-constructor
 \
 \\
 
@@ -617,6 +615,31 @@ Kernel.exec("ls -al /")
 Kernel.exit(1)
 %x('ls -al /')
 
+# JavaScript Object properties
+#
+# Names of Object properties - badly written programs will return a truthy value when looking up those keys using square brackets syntax instead of hasOwnProperty
+
+__proto__
+constructor
+prototype
+__defineGetter__
+__defineSetter__
+__lookupGetter__
+__lookupSetter__
+hasOwnProperty
+isPrototypeOf
+propertyIsEnumerable
+toLocaleString
+toString
+valueOf
+
+# JavaScript prototype pollution
+#
+# Strings that may cause Object prototype to be polluted
+
+{"__proto__":{"isAdmin":true,"data":"","list":"","items":"","attributes":"","foo":{},"url":"javascript:alert('pwned')"}}
+{"constructor":{"prototype":{"isAdmin":true,"data":"","list":"","items":"","attributes":"","foo":{},"url":"javascript:alert('pwned')"}}}
+
 #      XXE Injection (XML)
 #
 #	String which can reveal system files when parsed by a badly configured XML parser