webPromedium

MetricFlow — DOM XSS via Prototype Pollution Gadget

hackadvisor

Task: Analytics dashboard with client-side widget rendering; deepSet() parses URL query params with bracket notation without filtering __proto__. Solution: Prototype pollution via __proto__[headerTemplate] injects HTML into innerHTML gadget in renderWidget(), achieving DOM XSS to exfiltrate admin flag via shared notes API.

$ ls tags/ techniques/

nodejs javascript prototype_pollution express admin_bot innerhtml dom_xss gadget_chain xss_exfiltration query_parameter_parsing

admin_bot_exploitationclient_side_prototype_pollution_via_url_paramsdom_xss_via_innerhtml_gadgetimg_onerror_xss_bypassdata_exfiltration_via_shared_api

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 112 — MetricFlow — IDOR in Usage Analytics API— hackadvisor
[web][Pro]MetricForge— hackadvisor
[web][Pro]Lab 245 — MetriView — Reflected XSS via Open Redirect Chain— hackadvisor
[web][Pro]Lab 156 — IntegraFlow — Path Traversal via Double URL Encoding— hackadvisor
[web][Pro]Lab 78 — MetricVault — NoSQL Injection in Login Authentication— hackadvisor