Browser Console test: lodash
Lodash was recently identified as having a security flaw up through the current release version.
I wanted to see what version was currently running on a webapp,
- reproduce a tell-tale script to confirm the vulnerability
- rebuild the app with the fixed version
- confirm the vulnerability was fixed.
To get the current version I put _.VERSION in the console with the site loaded. I added this as a live expression (click the eyeball next to the console filter) so I could keep tabs on the version as I accessed different parts of the app and rebuilt it using the fixed version.
Then I entered the telltale script in the console:
which was provided on HackerOne by lodash author jdalton.
With the vulnerability, console(c) prints
After rebuilding with the fix version of lodash, the same script prints
I noticed after pasting the images that it is important to include the VERSION value in the screenshot if you intend to document patching this kind of issue efficiently.