12. Whitebox Attacks
Introduction to Whitebox Attacks
This module will explore several advanced web vulnerabilities using a whitebox approach
and how to exploit them: Prototype Pollution , Timing Attacks & Race Conditions ,
and those arising from Type Juggling .
It is recommended to have a strong understanding of basic web vulnerabilities and how to
exploit them; a good start is the Web Attacks module. Throughout the module, we will focus
mainly on understanding the root causes of these vulnerabilities and not covering the entire
codebase for each vulnerable web application. A high-level understanding of JavaScript,
Python, and PHP source codes is required to complete this module.
r
.i
Whitebox Attacks
01
Prototype Pollution
de
Prototype Pollution is a vulnerability specific to prototype-oriented programming
hi
languages and how they handle objects and inheritance, with JavaScript being the flagship
exploited programming language. It can arise when user input is used to manipulate the
properties of a JavaScript object. Depending on the vulnerable code, prototype pollution can
lead to server-side vulnerabilities on the web application, such as privilege escalation,
denial-of-service (DoS), or remote code execution (RCE). However, prototype pollution
vulnerabilities can also be present in client-side JavaScript code, resulting in client-side
vulnerabilities such as Cross-Site Scripting (XSS).
Timing Attacks & Race Conditions
Timing Attacks and Race Conditions are vulnerabilities that can arise in any software, not
just web applications. As such, they are often overlooked in web security since they are not
exclusive to web applications. A web application is vulnerable to timing attacks if response
timing can be used as a side-channel to infer information about the web application. That
may include the enumeration of valid usernames or the exfiltration of data from the web
server. On the other hand, race conditions arise from the multithreaded execution of a web
application. Suppose the web application assumes a sequential execution of certain
operations but is deployed on a multithreaded web server. In that case, race condition
vulnerabilities can arise, leading to data loss or business logic vulnerabilities.
https://t.me/CyberFreeCourses
,Type Juggling
Type Juggling in PHP occurs when variables are converted to different data types in specific
contexts. In particular, PHP features loose comparisons (using the == operator), which
compare two values after type juggling, and strict comparisons (using the === operator),
which compare two values as well as their data type. Confusing these two operations can
lead to security vulnerabilities and bugs if the web application code contains a loose
comparison instead of a strict one. Abusing loose comparisons can lead to unexpected and
undesired outcomes, potentially leading to security vulnerabilities such as authentication
bypasses or privilege escalation.
JavaScript Objects & Prototypes
Before jumping into prototype pollution, we must establish a baseline about JavaScript
objects and JavaScript prototypes.
r
.i
Objects in JavaScript
01
JavaScript supports different data types, including simple ones such as numbers , strings ,
or booleans , and more complex ones called objects , which can consist of multiple data
de
types. They are called the properties of the object. As an example, let us consider a
hi
JavaScript object representation of a Hack The Box Academy module. We can create a
module object like this:
module = {name: "Web Attacks", author: "21y4d", tier: 2}
We can access properties of our module object with a dot followed by the property name:
module.name
The same syntax allows us to set additional properties of our object:
module.difficulty = "medium"
https://t.me/CyberFreeCourses
,We can also create more complex objects by assigning functions or other objects as
properties.
Prototypes in JavaScript
JavaScript uses a pre-defined notion of inheritance to provide basic functionality to all
existing objects. This is implemented via Object prototypes. The prototype of an object is a
reference to another object that is inherited from it. Each object inherits from a prototype. As
such, the prototype of an object itself also has a prototype. This chain of prototypes is called
the prototype chain . For example, let us consider our module object from before.
r
Our object has a property that defines the toString function, which we can call like so:
.i
>> module.toString()
01
"[object Object]"
de
hi
However, where does this property come from? We only explicitly defined our object's name ,
author , and tier properties, not the toString property. Our object inherits this property
from the module object's prototype. We can check out the prototype of our object by
accessing the __proto__ property:
We can see that the prototype of the module object is an object called Object.prototype .
This is the base prototype that all created objects inherit. We can also see that this is where
the property toString is defined. Whenever we access a property of our object that does
not exist, the prototype is searched for this property. If it does not exist there, the prototype's
https://t.me/CyberFreeCourses
, prototype is searched, and so on, until the end of the prototype chain is reached. When the
property is still not found, undefined is returned.
We can, of course, override inherited properties to implement specific requirements of our
object. For instance, we can implement a custom toString function for our object:
module.toString = function() {return "This is the HTB Academy module: " +
this.name;}
Since our object's properties have precedence over the prototype's properties, when we call
the toString function, our custom toString function is executed:
This process of overriding a prototype's property is called shadowing .
r
Introduction to Prototype Pollution
.i
01
de
After knowing how JavaScript instantiates objects and what prototypes are in the previous
section, let us discuss prototype pollution.
hi
Prototype Pollution
Prototype Pollution is a vulnerability that can arise under specific conditions when vulnerable
code or libraries are used. Depending on the implementation of the vulnerable function,
prototype pollution can lead to Denial-of-Service (DoS), privilege escalation, remote code
execution, or any other common web vulnerability.
Since the prototype of an object is just a reference to another object, we can edit the
properties of the prototype just like we can edit properties of any object by accessing the
__proto__ property, which references our object's prototype. Consider our previously used
module object again, without the shadowed toString property. We can change the
toString function of our modules prototype, which is the Object.prototype object that all
objects inherit from, like so:
module.__proto__.toString = function () {return "shadowed";}
https://t.me/CyberFreeCourses
Introduction to Whitebox Attacks
This module will explore several advanced web vulnerabilities using a whitebox approach
and how to exploit them: Prototype Pollution , Timing Attacks & Race Conditions ,
and those arising from Type Juggling .
It is recommended to have a strong understanding of basic web vulnerabilities and how to
exploit them; a good start is the Web Attacks module. Throughout the module, we will focus
mainly on understanding the root causes of these vulnerabilities and not covering the entire
codebase for each vulnerable web application. A high-level understanding of JavaScript,
Python, and PHP source codes is required to complete this module.
r
.i
Whitebox Attacks
01
Prototype Pollution
de
Prototype Pollution is a vulnerability specific to prototype-oriented programming
hi
languages and how they handle objects and inheritance, with JavaScript being the flagship
exploited programming language. It can arise when user input is used to manipulate the
properties of a JavaScript object. Depending on the vulnerable code, prototype pollution can
lead to server-side vulnerabilities on the web application, such as privilege escalation,
denial-of-service (DoS), or remote code execution (RCE). However, prototype pollution
vulnerabilities can also be present in client-side JavaScript code, resulting in client-side
vulnerabilities such as Cross-Site Scripting (XSS).
Timing Attacks & Race Conditions
Timing Attacks and Race Conditions are vulnerabilities that can arise in any software, not
just web applications. As such, they are often overlooked in web security since they are not
exclusive to web applications. A web application is vulnerable to timing attacks if response
timing can be used as a side-channel to infer information about the web application. That
may include the enumeration of valid usernames or the exfiltration of data from the web
server. On the other hand, race conditions arise from the multithreaded execution of a web
application. Suppose the web application assumes a sequential execution of certain
operations but is deployed on a multithreaded web server. In that case, race condition
vulnerabilities can arise, leading to data loss or business logic vulnerabilities.
https://t.me/CyberFreeCourses
,Type Juggling
Type Juggling in PHP occurs when variables are converted to different data types in specific
contexts. In particular, PHP features loose comparisons (using the == operator), which
compare two values after type juggling, and strict comparisons (using the === operator),
which compare two values as well as their data type. Confusing these two operations can
lead to security vulnerabilities and bugs if the web application code contains a loose
comparison instead of a strict one. Abusing loose comparisons can lead to unexpected and
undesired outcomes, potentially leading to security vulnerabilities such as authentication
bypasses or privilege escalation.
JavaScript Objects & Prototypes
Before jumping into prototype pollution, we must establish a baseline about JavaScript
objects and JavaScript prototypes.
r
.i
Objects in JavaScript
01
JavaScript supports different data types, including simple ones such as numbers , strings ,
or booleans , and more complex ones called objects , which can consist of multiple data
de
types. They are called the properties of the object. As an example, let us consider a
hi
JavaScript object representation of a Hack The Box Academy module. We can create a
module object like this:
module = {name: "Web Attacks", author: "21y4d", tier: 2}
We can access properties of our module object with a dot followed by the property name:
module.name
The same syntax allows us to set additional properties of our object:
module.difficulty = "medium"
https://t.me/CyberFreeCourses
,We can also create more complex objects by assigning functions or other objects as
properties.
Prototypes in JavaScript
JavaScript uses a pre-defined notion of inheritance to provide basic functionality to all
existing objects. This is implemented via Object prototypes. The prototype of an object is a
reference to another object that is inherited from it. Each object inherits from a prototype. As
such, the prototype of an object itself also has a prototype. This chain of prototypes is called
the prototype chain . For example, let us consider our module object from before.
r
Our object has a property that defines the toString function, which we can call like so:
.i
>> module.toString()
01
"[object Object]"
de
hi
However, where does this property come from? We only explicitly defined our object's name ,
author , and tier properties, not the toString property. Our object inherits this property
from the module object's prototype. We can check out the prototype of our object by
accessing the __proto__ property:
We can see that the prototype of the module object is an object called Object.prototype .
This is the base prototype that all created objects inherit. We can also see that this is where
the property toString is defined. Whenever we access a property of our object that does
not exist, the prototype is searched for this property. If it does not exist there, the prototype's
https://t.me/CyberFreeCourses
, prototype is searched, and so on, until the end of the prototype chain is reached. When the
property is still not found, undefined is returned.
We can, of course, override inherited properties to implement specific requirements of our
object. For instance, we can implement a custom toString function for our object:
module.toString = function() {return "This is the HTB Academy module: " +
this.name;}
Since our object's properties have precedence over the prototype's properties, when we call
the toString function, our custom toString function is executed:
This process of overriding a prototype's property is called shadowing .
r
Introduction to Prototype Pollution
.i
01
de
After knowing how JavaScript instantiates objects and what prototypes are in the previous
section, let us discuss prototype pollution.
hi
Prototype Pollution
Prototype Pollution is a vulnerability that can arise under specific conditions when vulnerable
code or libraries are used. Depending on the implementation of the vulnerable function,
prototype pollution can lead to Denial-of-Service (DoS), privilege escalation, remote code
execution, or any other common web vulnerability.
Since the prototype of an object is just a reference to another object, we can edit the
properties of the prototype just like we can edit properties of any object by accessing the
__proto__ property, which references our object's prototype. Consider our previously used
module object again, without the shadowed toString property. We can change the
toString function of our modules prototype, which is the Object.prototype object that all
objects inherit from, like so:
module.__proto__.toString = function () {return "shadowed";}
https://t.me/CyberFreeCourses
