Browser Console test: lodash

Lodash was recently identified as having a security flaw up through the current release version.
I wanted to see what version was currently running on a webapp,

  • reproduce a tell-tale script to confirm the vulnerability
  • rebuild the app with the fixed version
  • confirm the vulnerability was fixed.

To get the current version I put _.VERSION in the console with the site loaded. I added this as a live expression (click the eyeball next to the console filter) so I could keep tabs on the version as I accessed different parts of the app and rebuilt it using the fixed version.

entering the version script in live expression editor

Then I entered the telltale script in the console:

_.zipObjectDeep(['a.b.__proto__.c'],[123])

which was provided on HackerOne by lodash author jdalton.

With the vulnerability, console(c) prints

"123"

After rebuilding with the fix version of lodash, the same script prints

undefined.
prototype pollution reproduced

I noticed after pasting the images that it is important to include the VERSION value in the screenshot if you intend to document patching this kind of issue efficiently.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha loading...

This site uses Akismet to reduce spam. Learn how your comment data is processed.