Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What about CVE-2020-28478 #1

Open
jedai47 opened this issue Jun 10, 2024 · 0 comments
Open

What about CVE-2020-28478 #1

jedai47 opened this issue Jun 10, 2024 · 0 comments

Comments

@jedai47
Copy link

jedai47 commented Jun 10, 2024

Hey everyone, I was doing bug bounting on HackerOne abd got invited to what looks to me like a good program for begginers since it doesn’t offer any bounties, there were not many found and the target had like 300 subdomains. It’s not my first program however it’s the first vulnerability I’m reporting.

So, I notice that they’re using a GSAP version that is vulnerable to prototype pollution (CVE-2020-28478).

I googled for a proof of concept and found one at [Synk]'s website (Prototype Pollution in gsap | CVE-2020-28478 | Snyk 20)

It’s this simple piece of code:

gsap.config({ autoSleep: JSON.parse('{"proto":{"proto":{"polluted":"yes"}}}') });
// gsap.defaults(JSON.parse('{"proto":{"polluted":"yes"}}'));

document.write('Polluted : ' + polluted);
I got really happy since it worked, wrote a nice report and and sent them, saying that possible types of attacks include DoS, RCE and Property Injection as I saw at Synk’s website.
The program is being managed by HackerOne themselves and the triage moderator asked me for a PoC related to the types of attacks above.

I learned some stuff about prototype pollution and, as of my understanding, unlesss there’s some sort of functions that would be used to either do some server-side work or at least trigger it, there’s no way of making it work?

Well, to summarize I would like to know your opinions or some guidance to exploit the vulnerability, possibly RCE since DoS is a sort of grey area because it can damage their uptime and I don’t think that would be professional or even ethical.

Thanks in advance :slight_smile:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant