Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Prototype Pollution not marked as passed

Fernando | Last updated: Nov 15, 2022 12:21AM UTC

Hello team, I passed the domxss prototype pollution and was able to get the alert, however the platform is not marking it as solved. Should it be working like with the other challenges? https://portswigger.net/web-security/prototype-pollution/finding/lab-prototype-pollution-dom-xss-via-client-side-prototype-pollution

Michelle, PortSwigger Agent | Last updated: Nov 15, 2022 12:49PM UTC

Thanks for your message. We'll be releasing the solutions for these labs soon. When we checked the lab, it did mark as solved. Have you tried using DOM Invader to help solve the lab?

Fernando | Last updated: Nov 15, 2022 02:56PM UTC

Hello Michelle, thanks for your response! I used dominvader to find the prototype pollution source and then manually identified the place where a custom script is inserted into the DOM. With these two parameters I can see the alert, my external JS file has the alert() code. search=xxx __proto__[transport_url]=URL_to_an_external_js_file Feel free to censor / delete this post if its spoiling the challenge!

Michelle, PortSwigger Agent | Last updated: Nov 16, 2022 12:07PM UTC

We don't want to give away too many clues before we publish the solutions :) The solutions will probably be released within the next week, so watch out for those, and if you're still having issues, let us know.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.