Everything you need to know about Prototype Pollution

Intro
What you need to verify a Prototype Pollution.
What is susceptible to Prototype Pollution manipulation?
Property definition by path/location
Simple Example Prototype Pollution payloads
Polluting the DOM

Intro

Prototype Pollution is a vulnerability that allows attackers to exploit the rules of the JavaScript programming language, by injecting properties into existing JavaScript language construct prototypes, such as Objects to compromise applications in various ways.

JavaScript allows all Object attributes to be altered. This includes their magical attributes such as __proto__, constructor and prototype.

An attacker is able to manipulate these attributes to overwrite, or pollute a JavaScript application object prototype of the base object, by injecting other values.

Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain, resulting in either:

Denial of Service – by triggering JavaScript exceptions
Remote Code Execution – by tampering with the application source code to force the code path that the attacker injects
XSS – see examples below

Why is Prototype Pollution an issue?

In Javascript, prototypes define an object’s structure and properties, so that the application knows how to deal with the data. When new objects are created, they carry over the properties and methods of the prototype “object”. If you modify the prototype in one place, it will affect how the objects work throughout an entire application.

What you need to verify a Prototype Pollution

If you have a Firefox or Chrome browser installed, you should be good to go! In this blog, I will be using Firefox.

Simply open the Firefox Developer Tools from the menu by selecting Tools -> Web Developer -> Toggle Tools or use the keyboard shortcut Ctrl + Shift + I or F12 on Windows and Linux, or Cmd + Opt + I on macOS.

What is susceptible to Prototype Pollution manipulation?

The impact and severity of Prototype Pollution depends on the application. Property definition by path/location is a key example.

Property definition by path/location

There are numerous JavaScript libraries which are vulnerable to Prototype Pollution due to document.location. Finding out which are vulnerable is easy. GitHub user BlackFan maintains a list of libraries that are vulnerable to Prototype Pollution due to document.location. You can find this list here. An example of a high severity prototype pollution security vulnerability was discovered in the lodash library (versions less than 4.17.15).

Let’s dissect the JavaScript objects to better understand what is happening.

First, we will create an object and access its attributes.

For example, if we create object Book as:
var book = {bookName: "Book name", authorName: "Author of book"};

We can access the name and the author using two different notations, the dot notation (e.g.: book.name), and the square bracket notation (e.g.: book[“name”]).

`book.bookName`	//output: “Book name”
`book["bookName"]`	//output: “Book name”
`var name = "bookName";`
`Book[name]`	//output: “Book name”

`book.authorName`	//output: “Author of book”
`book["authorName"]`	//output: “Author of book”
`var author = "authorName";`
`book[author]`	//output: “Author of book”

The object Object has a few properties for its prototype. We are interested in “constructor“ and “__proto__“.

You can see all available properties of the Object by typing Object.prototype. in the console of a web browser by opening developer tools.

Now that you know how to access these attributes and list them, how can you use this to add something and pollute the Object?

Let’s create an object book and try to access some non-existent values?
var book = {bookName: "Book name", authorName: "Author of book"};book.constructor.protoSomeRandomName // this will not work, since there is no attribute protoSomeRandomName

but what if we do this
Object.__proto__["protoSomeRandomName"]="protoSomeRandomValue"book.constructor.protoSomeRandomName // this will work and return value protoSomeRandomValue (is it magic? not really)

We proved this indeed polluted all the objects created from the object Object with the new attribute, and all of these new objects have inherited this attribute from the prototype.

Simple Example Prototype Pollution payloads

Object.__proto__["protoSomeRandomName"]="protoSomeRandomValue"Object.__proto__.protoSomeRandomName="protoSomeRandomValue"Object.constructor.prototype.protoSomeRandomName="protoSomeRandomValue"Object.constructor["prototype"]["protoSomeRandomName"]="protoSomeRandomValue"

Polluting the DOM

Examples for vulnerable document.location parsers

Credits go to: s1r1us

https://msrkp.github.io/pp/1.html?__proto__[protoSomeRandomName]=protoSomeRandomValue

https://msrkp.github.io/pp/2.html?__proto__[protoSomeRandomName]=protoSomeRandomValue

https://msrkp.github.io/pp/3.html?__proto__[protoSomeRandomName]=protoSomeRandomValue

XSS examples

XSS example #1 https://msrkp.github.io
XSS example #2 https://msrkp.github.io

var book = {bookName: "Book name", authorName: "Author of book"};console.log(book.toString())
//output: “[object Object]”

book.__proto__.toString = ()=>{alert("polluted")}console.log(book.toString())// alert box pops up: “polluted”

Remediating this vulnerability:

This vulnerability can be fixed by:

Freezing the prototype
1. Object.freeze(Object.prototype);
2. Object.freeze(Object);

Schema validation of JSON input
Avoid using unsafe recursive merge functions
Using Map instead of Object
Use Prototypeless Object

var obj = Object.create(null);
obj.__proto__ //output undefined
obj.constructor //output undefined

Bright enables developers and security teams to automatically detect Prototype Pollution vulnerabilities, seamlessly integrated across your pipelines, with no-false positives and built with a Dev first approach.

Request a demo now or give it a try today with a FREE account!

What is Business Constraint Bypass

Intro
Importance.
Attack
Remediation
Bright and Business Constraint Bypass

While security professionals pay significant attention to technical vulnerabilities such as SQL Injection, CSRF and Cross-Site Scripting, modern applications are just as susceptible to business logic flaws. Business logic flaws defy easy categorization and the skill of discovering them can be more art than science.

In this post, we will discuss business constraint bypass vulnerabilities (a unique case of business logic vulnerability) and give AppSec people & pen testers a few tips on how to test for this type of vulnerability.

Intro

Business Constraint Bypass can seem simple and harmless at first but can lead to a series of serious problems. Impacts can vary from getting data the user should not have access to, to application-based DoS attacks.

Importance

Why is this specific attack important, and how can it impact your business?

Let’s take for example a website that will provide information on the best software for Application Security Testing. The free version of the application returns only the top three results, and if you want to see the whole list, you have to pay. Or maybe you want to see the top ten visited websites from a certain category. With the free version you can make only three requests, and if you need more than those three requests, you have to pay.

Business constraint bypass attacks exist because of applications like these. It will try to bypass the constraint and get as much data as possible for free.

Even if data is not accessed unlawfully, this attack might cause a small application based DoS attack, or if the attacker is able to distribute the request, a full-blown DDoS.

Attack

Recon

What I like to do first is to find a parameter that might be modifiable to return more data than necessary. This is done usually while going through the application and looking at all of its possibilities. If I see a page that only shows something like 10 results of a certain data and the only way to get more is to click “Next page” I flag that as a possible candidate for constraint bypass attack.

Once I have my candidate I check what requests take place while that page is being loaded. What usually happens in modern applications is that an API request is called for n values of that data.

The next step is trying to cURL that API call and if that works, we’re all set to start attacking.

Exploitation

Let’s say we have this API call that we want to attack /api/v1/get_books/10/site/all_books. This call gets 10 books on page “All books”.

What we want to attack is the integer value of 10 and we want more books. How do we do that? I usually follow these steps when generating this attack:

First, you would execute the API call to see if you can get the JSON/YAML of the items you want (in our case its books). This can be done easily by executing the request in the browser itself in a new tab or if you’re feeling like a hacker you can use cURL.

Once we confirm that we can return the data we want we can continue to the next step, increasing the number of items.

This is really simple, we just change the number 10 in the call with a 100, and if it returns 100 items (books) we’ve succeeded in an attack.

The next step is trying to see if we can get a 1000 or even more items.

What if we have a call that’s almost the same as the previous one but it has one more parameter in it. Like this:

/api/v1/get_books/10/site/all_books?hash=abcd-12fa-be34-c45d. What does this change for us? This specific hash probably refers to some type of session that the application is using so you wouldn’t abuse the same API call and it’s valid for a short timeframe.

What I usually do in this case is prepare an API call that I want to call but not execute it (so something like this /api/v1/get_books/100/site/all_books?hash= and then record a regular API request but take the hash from it and plug it into our own call with a modified number of items.

This will usually do the trick in scenarios like these.

Another thing I’ve seen is duplicated parameters, so an API call ends up looking something like this:

/api/v1/?books=10&page=all_books&hash=some-weird-short-hash&books=10&page=all_books&hash=some-weird-short-hash

As you can see every parameter is being duplicated and if they obfuscate the names to something weird or shorten them you might end up seeing something like the following: /api/v1/?b=10&p=all_books&h=weird-hash&b=10&p=all_books&h=weird-has

There are a couple of ways to proceed in such cases. , First, we need to analyze the situation to figure out which parameter we’re actually attacking.

If we execute this and get 10 items, it’s pretty obvious we’re attacking the parameter b.
If there are multiple different parameters with different names but the same values we would need to manually check all of them to see which ones are actually the ones that are required by us.
Once we know which parameters we’re attacking (in our case b) we can proceed to modify it.

One way to modify is to change both values and see if it gets you the number of items you want, so the API call might end up looking something like this: /api/v1/?b=2448&p=all_books&h=weird-hash&b=2448&p=all_books&h=weird-hash

And if this works, great, we have a way of getting more items, if it doesn’t work it means there is some weird check in the background.

Another way to do this is to remove the duplicated parameters and see if the API call still works, this can get a bit complicated since you might need to remove some specific double parameters but leave others, so you would need to play around with the call itself.

Additional tips

If you want to get the maximum number of items allowed it’s probably best to use something like a modified binary search (O(log n)). Since we don’t know the max value we can return we can do something like this:

If a regular call is for 10 items, and we know that we can get a hundred, for example, we need to increase it a lot more. Go for something a bit more absurd like 10.000 items
If 10.000 items work you would increase this even further but it will be a bit harder to both verify the amount of data and your browser might act a bit weird with a large JSON so be careful about those things.
Let’s say 10.000 doesn’t work but we know that 100 does. The next step is as a binary search goes to check the half point of those two.
We make a request for 5.000 items. And depending on if this works or not we have two possible paths.
- First is if it works, we take another half-point between 5.000 and 10.000, which is 7.500 items. And repeat the previous step.
- Second is if it doesn’t work, we take a half-point between 5.000 and a 100, and that would be 2.500 items. And repeat the previous step.
We do this until we get to the number of items we want and we know work

If you can’t get the API request to work, and it looks something like this /api/v1/books/10/page/all_books. The issue could be in the additional parameter that we’re not actually using, page.

What we can do is try removing it and see if that works, our API call ends up with something like /api/v1/books/10.

This can be applied to any parameter that isn’t the one we’re attacking, try removing it and see how the API responds. This is a lot of trial and error until you get it to work but it can make your life a lot easier.

Remediation

Always check the amount of data being requested via an API call. Just because the API is made to be invisible to the user, doesn’t mean it’s actually invisible to everyone.

If you need the API to be dynamic, make sure to either limit it by user or use-case, including the session in the request itself.

Never trust that an API call that’s available from the internet won’t be used or abused by anyone other than your application.

Bright and Business Constraint Bypass

Business Logic Attacks represent a major issue in modern applications.

While a vulnerability like Business Constraint Bypass is easy to find, most automated AST tools are not able to detect it.

Bright is the only DAST solution capable of detecting Business Logic Constraint vulnerabilities in applications and APIs. Simply initiate a scan (using GUI or CLI) and among other vulnerabilities, Bright will also test for business constraint bypass. The resulting report comes completely false-positive free, with remediation guidelines for you and your team. Integrate Bright with Jira, Slack, or any other issue tracking tool and assign any finding as a ticket to your colleagues.

To see these and many other features of Bright in action, request a demo – https://brightsec.com/request-a-demo

The Ultimate Beginners Guide to XSS Vulnerability

Intro
Importance of XSS vulnerabilities.
Some known XSS attacks in the wild
Types of XSS
Attacks
Prevention
DOM XSS
Summary

Intro

Cross-site scripting (XSS) is an old but always relevant and dangerous type of attack that plagues almost all web applications, be it older or modern ones. It relies on developers using javascript to enhance the experience of end-users of their application, but when the javascript isn’t properly handled it leads to many possible issues, and one of them is XSS.

Importance of XSS vulnerabilities

The risk of XSS is that the malicious code is usually injected directly into the vulnerable application and not a redirect site that the user might watch out for. So if you often go to example.com and someone sends you a link of one of their articles that goes something like example.com/this-article-is-good?id=%3Cscript%3Ealert%281%29%3C%2Fscript%3E you’ll probably click it because it’s something you’re really used to. What you’re not aware of is that there was some code injected in the site without your or the site’s approval and that code might steal your session, take some screenshots, activate a keylogger, etc…

An even more dangerous type of XSS vulnerability is the persistent one where you don’t even have to click on a link to execute the code, you just browse to some page on a site you trust and an attackers comment containing malicious code that was saved in the database is displayed on the site and suddenly you and everyone who visits that page is triggering something they really don’t want to trigger.

Some known XSS attacks in the wild

One of the most famous examples of XSS is the “Samy“. Samy is one of the fastest spreading malwares in internet history. It abused unsanitized profile posts to inject harmful javascript code that was saved to the database and then activated whenever a user viewed that post, thus spreading the worm to themselves and so on.

Yahoo account hijack via email phishing and XSS, attackers made a page with malicious javascript that would steal cookies of visitors. The attack was executed by sending an email with a link to the popular news page article, but the link linked back to the attacker’s site which contained malicious code.

Types of XSS

The three most common types of XSS are:

– Reflected
– Persistent
– DOM-based XSS

You can read more about these types and how and why they work here.

Attacks

Let’s start with the basics

XSS is a really easy attack to start testing and seeing if you can execute malicious code. To get started, find some possible injection points in your targets and start with some simple basic payloads and see how the page reacts and then try to break it.

Finding possible injection points

The easiest way to find possible injection points is to see if reflection happens somewhere. A good example for this is usually the search bar where once you search for something you get the string you searched back at the top of the page.

In the image above you can clearly see reflection happening and this is a prime spot to start testing for XSS.

Another good place to start injecting is a form in which text will be displayed to a large number of people. A good example of this is comments on a page, a review, post, or basically anything that will be seen by someone other than you.

Inspecting the elements and analyzing the reflection

Once you found a reflection point it’s a good idea to analyze it a bit and see how things are getting reflected, what do they pass through to get reflected back to you and how you can get over some of the common hurdles that developers put in to stop XSS attacks.

A good first step is to inject a bunch of random characters to see if some are blacklisted. this includes characters like < > / ; ! # $ and combinations of them to see if they are all reflected properly. Another good way to see for common blacklisting is doing some basic injections and seeing how they are reflected.

After playing around with the input field itself it’s good to check the frontend code to see if it’s sanitized somewhere. Then, check the javascript files that the input field goes through to see that.

Basic injections

Doing basic injections is a great way to see how the field is reflecting the input and what it’s doing with it behind the scenes.

First start with injecting the most basic alert: . What is reflected back to you, just the alert part, maybe you got a popup (if you did you found the goldmine, go ahead and break the whole site because there are probably a bunch more vectors possible), maybe it just filtered out special characters, maybe nothing got reflected, or in the worst case everything got reflected nicely back to you.

Depending on what got reflected back to you you can start crafting your payload.

Here are some examples on different simple injections and bypasses and how to work through them:

1. Basic injection works in the URL parameter id (broken_site/xss/1?id=)

2. Basic injection doesn’t work but we get some reflection (http://100.26.239.14:3000/vuln/xss/2?id=)

In this example we see that there is reflection but the script tags are filtered out, let’s play a bit with them to see how we can get them displayed.

Let’s see if capitalization breaks out of the blacklisting. Next payload is broken/site/xss/2?id=.

And it worked, the filtering used was just checking lowercase/uppercase characters and not mixed case.

3. Let’s try on another page, again we start with basic injection to scout it out broken_site/xss/3?id=

Again as in the previous example, let’s mix the case and see how that reacts broken/site/xss/3?id=

Pretty much the same as the previous try, nothing changed, looks like it sanitizes the input to only one case and then checks it.

Let’s try wrapping it to see if it does just one check or multiple checks. Payload is broken_site/xss/3?id=ript>alert(1)ript>

And this worked, the site just checks once if the payload contains the script tags and removes them, once it removes them we get another set of script tags that we wrapped around the removed ones and we get the successful alert prompt.

4. Page 4, again basic injection to see what’s going on broken_site/xss/4?id=

Here we get an interesting reflection, where some tags are still there but there is no script.

Let’s try wrapping it up to see what’s happening with the payload broken_site/xss/4?id=ript>alert(1)ript>

It looks like the page uses some sort of regex to filters the script out, let’s try something other than script.

Injecting a basic a tag and seeing how the site reacts to that. Payload is broken_site/xss/4?id=Click me!. What we do here is basically create a link that says click me, and when we hover the mouse over it, the alert box should execute.

We have the link on the site, let’s try hovering over it to see if we get the alert box.

And that worked because the whole focus of filtering was the script tag, the developers forgot about a tag and left that for the injections.

5. Another page, again we try the basic injection to see what’s going on with the site broken_site/xss/5?id=

Nothing gets reflected, let’s try wrapping it and seeing how it behaves then. Payload is broken_site/xss/5?id=ript>alert(1)ript>

We get some reflection, but it doesn’t really help us out.

Let’s try with the a tag and see how it behaves, we’re still not sure what’s being filtered here.

Payload is broken_site/xss/5?id=Click me!

We get the link but when we try to hover over it, it doesn’t actually execute anything. So it isn’t the script tag that is being filtered out but the alert is the culprit here. Let’s try converting it from ascii code to characters using some basic JS. Open up your developer tools by pressing F12 in your favorite browser and go to the Console tab. Type the following String.fromCharCode(97) and press Enter. You should get the character a displayed in your console. Now let’s craft up our alert box with this. Function is String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41) and let’s put that into eval so it executes.

Payload is broken_site/xss/5?id=Click me!

And once we hover on it.

It worked.

Another thing that would’ve worked in this case if we injected prompt or confirm instead of alert.

This is the standard way of working through to figure out how to get the prompt to appear, iteratively trying things until something sticks and then modifying the thing that sticks the best to get the prompt. Another good thing to do is to inspect the element and see the code around it to see if you can get something out of that. It’s really useful for detecting DOM-XSS issues.

The site we used to test these injections is Broken Crystals, and you can also contribute to it to make it better.

Going crazy with the payloads

XSS Payloads can and do get really crazy real fast, and the AppSec community created some great payloads that you can just copy and paste to see if they work.

Some common bypasses are:

– Encodings

– URL encoding

to %3Cscript%3Ealert%281%29%3C%2Fscript%3E

– Base64 encoding

to PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

– Hexadecimal encoding without semicolon

to %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E

– Decimal HTML character

– Decimal HTML character without semicolon

to <script>alert(1)</script>

– Octal encoding

javascript:prompt(1) to javascript:'160162157155160164506151'

– Unicode encoding %EF%BC%9E -> > and %EF%BC%9C -> <

to %EF%BC%9Cscript%EF%BC%9Ealert(1)%EF%BC%9C/script%EF%BC%9E

- Using jsfuck

- Embedding encoded characters that don't break the script (tab, newline, carriage return)

- Embedding tab

to alert(1)

- Embedding newline

to alert(1)

- Embedding carriage return

to alert(1)

- Null breaks

to alert(1);

Null breaks should be done either through a proxy or by embedding the %00 in the URL query, otherwise they won't work properly.

- Character bypasses:

- To bypass quotes for string use String.fromCharCode() function

- To bypass quotes in mousedown event Link

- To bypass space filter use one of /, 0x0c/^L like:

Click me! to Click me!

- To bypass parenthesis for string using `

- To bypass closing tags > use nothing, they don't need to be closed





- Bypassing on...= filter



  - Using null byte



Click me! to Click me!



  - Using vertical tab



Click me! to Click me!



  - Using a /



Click me! to Click me!



- Escaping JS escapes



You're already working in script tags but you need to escape the quotes to inject your own code:



  ";alert(1);//



  or close the script tag and open up your own immediately after:



  





Polyglots



Polyglots are used to save time when testing for XSS. They usually cover a large variety of injection contexts. They aren't the end all be all for XSS but they do speed up the process quite a bit. If the polyglot works, you save a lot of time, if it doesn't you either move on or continue with a lot more specific attack on that input. It all depends on your goal, if it is to test a lot of parameters, polyglots are great, if it is to break a single parameter, you will probably need to dig deep into how that specific part of the application works.



Here is a great polyglot by 0xSobky 



jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//x3csVg/



It covers a large amount of injection contexts and is overall great polyglot to test everything with.



Another great polyglot by s0md3v



-->'"/>. Now anyone that visits our profile gets popup.



DOM XSS Example



In juice-shop in "Search" field type </code>. You will get the popup. Copy the URL <code>http://juice-shop.herokuapp.com/#/search?q=%3Ciframe%20src%3D%22javascript:alert(%60xss%60)%22%3E</code> and send it to your target.</p>



<h2 class="wp-block-heading" id="dast">Prevention</h2>



<h3 class="wp-block-heading" id="reflected-and-stored-xss">Reflected and Stored XSS</h3>



<p>Reflected and stored cross-site scripting can be sanitized on the server-side and there are multiple ways of doing it.</p>



<p>One great way to start is to use a security encoding library to encode all parameters and user input.</p>



<p>Blacklisting characters that are deemed unsafe won't really work out in the long run since some malicious user might figure out some bypass for it as it usually happens. What you need to do is whitelist what is allowed.</p>



<p>If you need to insert parameters/user input data into your HTML body somewhere you need to do HTML escape before insert itself. You will also need to HTML entity encode any character that can switch execution context, such as script, style, or event handlers.</p>



<p>Escape attribute if you need to insert parameters/user input data into your HTML common attributes. Don't use complex attributes like <code>href</code>, <code>src</code>, <code>style</code> or any event handlers. Also quote your attributes since unquoted attributes can be escaped with a lot of different characters, while quotes attributes can only be escaped with the corresponding quote. Escape all non-alphanumeric characters to prevent switching out of the attribute.</p>



<p>Do JavaScript escaping for dynamically generated JS code, where you would need to insert parameters/user data input into either event handlers or script tags. Only real safe place you can put data here is inside any quoted value. Anything else is really tricky to sanitize properly since it's really easy to switch context.</p>



<p>There are many additional things to keep in mind when preventing XSS and you can read more at <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html" target="_blank" rel="noopener">OWASP XSS Prevention</a>.</p>



<h3 class="wp-block-heading" id="for">DOM XSS</h3>



<p>DOM XSS can't be sanitized on the server-side since all execution happens on the client-side and thus the sanitization is a bit different.</p>



<p>Always HTML escape and then JavaScript escape any parameter or user data input before inserting it into the HTML subcontext in the execution context.</p>



<p>When inserting into the HTML attribute subcontext in the execution context do JavaScript escape before it.</p>



<p>Avoid including any volatile data (any parameter/user input) in event handlers and JavaScript code subcontexts in an execution context.&nbsp;</p>



<p>There are a lot more ways to help prevent the DOM XSS and you can read more about it at <a href="https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html" target="_blank" rel="noopener">OWASP DOM XSS Prevention</a>.</p>



<h2 class="wp-block-heading" id="pit">Summary</h2>



<p>Cross-site scripting is an extremely dangerous attack vector that needs constant care and attention to be preventable. Any untrusted data injected into the frontend might cause huge problems.</p>



<p>Both attacking and preventing XSS can get really complicated at all possible levels so follow the proper updated guidelines when protecting and try all the different encodings and bypasses when attacking to have most success.</p>



<p>Cross-site scripting vulnerabilities can be detected by <a href="https://brightsec.com/nexploit-neuralegion/" target="_blank" rel="noreferrer noopener">Bright</a>. <br><br>Bright tests for vulnerabilities in anything from web apps to IoT devices, including APIs, microservices and mobile applications.<br><br>You can sign-up for a free Bright account <a href="https://app.neuralegion.com" target="_blank" rel="noopener">here</a>.</p>



<h2 class="wp-block-heading" id="additional-resources-and-references">Additional resources and references</h2>



<p><a href="https://owasp.org/www-community/xss-filter-evasion-cheatsheet" target="_blank" rel="noopener">OWASP Cheatsheet</a><br><a href="https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot" target="_blank" rel="noopener">XSS Polyglot - 0xsobky</a><br><a href="https://twitter.com/s0md3v/status/966175714302144514" target="_blank" rel="noopener">XSS Polyglot - s0md3v</a><br><a href="https://github.com/payloadbox/xss-payload-list" target="_blank" rel="noopener">XSS Payload List</a><br><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection" target="_blank" rel="noopener">XSS Injection List</a><br><a href="https://github.com/NeuraLegion/brokencrystals" target="_blank" rel="noopener">Broken crystals</a><br><a href="http://juice-shop.herokuapp.com/#/" target="_blank" rel="noopener">OWASP Juice-shop</a><br><a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html" target="_blank" rel="noopener">OWASP XSS Prevention</a><br><a href="https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html" target="_blank" rel="noopener">OWASP DOM XSS Prevention</a></p>
                    </div>
                </article>
                                <article id="post-1005" class="post-1005 post type-post status-publish format-standard has-post-thumbnail hentry category-threats-and-vulnerabilities">
                    <header class="entry-header">
                        <h1 class="entry-title">The most common LDAP Injections and how they work</h1>                    </header>

                    <div class="entry-content">
                        
<h2 class="wp-block-heading"><strong>Table of Contents</strong></h2>



<ol class="wp-block-list">
<li><a href="#app">AND LDAP Injection</a></li>



<li><a href="#just">OR LDAP Injection</a>.</li>



<li><a href="#more">BLIND LDAP Injections</a></li>



<li><a href="#ai">How to prevent LDAP vulnerabilities</a></li>
</ol>



<p>In the first part of the <a href="https://brightsec.com/blog/ldap-injection/" target="_blank" rel="noreferrer noopener">LDAP Injections blog</a>, we talked about the basics. The definition of LDAP Services, how they get exploited, and what environments are the most vulnerable to LDAP Injection attacks. In this post&nbsp; we will go over the most common LDAP Injections and show examples so you can learn how hackers use these techniques to exploit vulnerable environments.</p>





<p>What are the most used LDAP Services? ADAM and OpenLDAP. Both are susceptible to injection attacks. Let’s show some LDAP Injection examples that can occur in some of these vulnerable environments:</p>



<p><strong><em>-(attribute=value)&nbsp;</em></strong></p>



<p>IA filter can be used to make a query that’s missing a logic operator (<strong>OR </strong>and <strong>AND</strong>). An injection like:</p>



<p><strong><em>“value)(injected_filter”&nbsp;</em></strong></p>



<p>Results in two filters (the second gets ignored while the first one gets executed in OpenLDAP implementations):</p>



<p><strong><em>(attribute=value)(injected_filter)</em></strong><br></p>



<p>ADAM LDAP doesn’t allow queries with two filters. This renders this injection useless. Then we have the <strong>&#038; </strong>and<strong> | </strong>standalone symbols. Making queries with them looks something like this:</p>



<p>(<strong><em>&#038;(attribute=value)(second_filter))</em></strong></p>



<p>(<strong>|<em>(attribute=value)(second_filter))</em></strong></p>



<p>Filters that have the<strong><em> OR </em></strong>or <strong><em>AND </em></strong>&nbsp;logic operators can make queries in which this injection:</p>



<p><strong><em>“value)(injected_filter”&nbsp;</em></strong></p>



<p>Results in this filter:</p>



<p>(<strong><em>&#038;(attribute=value)(injected_filter)) </em></strong>(second_filter))<strong><em>.</em></strong></p>



<p>As you can see, this filter isn’t even syntactically correct. Yet, OpenLDAP will process it regardless. It will go from left to right and ignore all characters after the first filter closes. What does that entail? Certain LDAP Client components ignore the second filter. The first complete one is sent to ADAM and OpenLDAP. That’s how injections bypass security.&nbsp;</p>



<p>In cases where applications have a framework that checks the filter, it needs to be correct. An example of a synthetically correct injection looks something like:</p>



<p><strong><em>“value)(injected_filter))(&#038;(1=0”</em></strong></p>



<p>This shows two different filters where the second one gets ignored:</p>



<p>(<strong><em>&#038;(attribute=value)(injected_filter))(&#038;1=0) </em></strong>(second_filter))<strong><em>.</em></strong></p>



<p>Since certain LDAP Servers ignore the second filter, some components don’t allow LDAP queries with two filters. Attackers then create special injections to obtain an LDAP query with a single filter. Now an injection like:</p>



<p><strong><em>“value)(injected_filter”</em></strong></p>



<p>Results in this filter:</p>



<p>(<strong><em>&#038;(attribute=value)(injected_filter))</em></strong>(second_filter))<strong><em>.</em></strong></p>



<p>How do attackers test an application to see if it’s vulnerable to code injections? They send a query to the server that generates an invalid input. If a server returns an error message, it means the server executed his query. Meaning code injection techniques are possible. Read more to find out about AND and OR injection environments.</p>



<h2 class="wp-block-heading" id="app">AND LDAP Injection</h2>



<p>In this case, the application constructs a query with the “<strong><em>&#038;</em></strong>” operator. This together with one or more parameters that are introduced by the user is used to search in the LDAP directory.</p>



<p><strong><em>(&#038;(parameter1=value1)(parameter2=value2))</em></strong></p>



<p>The search uses <strong><em>value1 </em></strong>and<strong><em> value2 </em></strong>as values that let the search in the LDAP directory happen. Hackers can maintain a correct filter construction while also injecting their malicious code. This is how they abuse the query to pursue their own objectives.</p>



<h3 class="wp-block-heading">Access Control Bypass</h3>



<p>All login pages have two text box fields. One for the username one for the password. The user inputs are <strong><em>USER</em></strong>(Uname)<strong><em> </em></strong>and<strong><em> PASSWORD</em></strong>(Pwd). A client supplies the user/password pair. To confirm the existence of this pair, LDAP constructs search filters and sends them to the LDAP server.</p>



<p><strong><em>(&#038;(USER=Uname)(PASSWORD=Pwd))</em></strong></p>



<p>An attacker can enter a valid username (john90 for example) while also injecting the correct sequence after the name. This way they successfully bypass the password check. By knowing the username any string can be introduced as the Pwd value. Then the following query gets sent to the server:</p>



<p><em>(&#038;(USER=</em><strong><em>john90)(&#038;)</em></strong><em>)(PASSWORD=Pwd))</em></p>



<p>The LDAP server process only the first filter. The query processes only the <em>(&#038;(USER=</em><strong><em>john90)(&#038;) </em></strong>query. Since this query is always correct, the attacker enters the system without the proper password.</p>



<h3 class="wp-block-heading">Elevation of Privileges</h3>



<p>Some queries list all documents and they’re visible to users that have a low-security level. As an example <em>/Information/Reports, /Information/UpcomingProjects, </em>etc. files in the directory. The “<em>Information” </em>&nbsp;part is the user entry for the first parameter. All these documents have a “<em>Low” </em>security level. The “<em>Low</em>” part is the value for the second parameter. This also allows the hacker to access high-security levels. In order to do that the hacker must use an injection that looks something like this:</p>



<p><strong><em>“Information)(security_level=*))(&#038;(directory=documents”</em></strong></p>



<p>This injection results in this filter:</p>



<p><strong><em>(&#038;(directory=Information)(security_level=*))(&#038;(directory=Information)(security_level=low))</em></strong></p>



<p>If you’ve been paying attention you know the LDAP processes the first filter. The second filter gets ignored. The query that gets processed is <em>(&#038;(directory=</em><strong><em>Information)security level=*)</em></strong><em>). </em>The<em> </em>(&#038;(directory=Information)(security level=low)) is ignored completely. That&#8217;s how hackers see a list of documents that can usually only be accessed by users with all security levels. Even though the hacker doesn’t actually have privileges to see this information</p>



<h2 class="wp-block-heading" id="just">OR LDAP Injection</h2>



<p>There are cases where the application makes a normal query with the (<strong>|</strong>) operator. Together with one or more parameters that the user introduces. An example looks something like this:</p>



<p><strong><em>(|(parameter=value1)(parameter2=value2))</em></strong></p>



<p>As before,<strong><em> value1 </em></strong>and<strong><em> value2 </em></strong>are used for the search.</p>



<h3 class="wp-block-heading">Information Disclosure</h3>



<p>Some resource explorers let a user know exactly which resource is available in the system. For example, a website dedicated to selling clothing. The user can look for a specific shirt or pants and see if they are available for sale. In this situation OR LDAP Injections are used:</p>



<p><strong><em>(|(type=Resource1)(type=Resource2))</em></strong></p>



<p>Both <em>Resource1 </em>and <em>Resource2 </em>show the kinds of resources in the system. <em>Resource1=Jeans </em>&nbsp;and <em>Resource2=T-Shirts </em>show all the jeans and T-Shirts that are available for purchase in the system. How do hackers exploit this? By injecting <strong><em>(uid=*) </em></strong>into <strong><em>Resource1=Jeans</em></strong>. This query then gets sent to the server:</p>



<p><em>(</em><strong><em>|(</em></strong><em>type=</em><strong><em>Jeans)(uid=*)</em></strong><em>)(type=T-Shirts))</em></p>



<p>The LDAP server then shows all the jeans and user objects.</p>



<h2 class="wp-block-heading" id="more">BLIND LDAP Injections</h2>



<p>Hackers can deduce a lot of things just from a server’s response. The application itself doesn’t show any error messages. Yet, the code that’s injected into the LDAP filter will generate a valid response or an error. A true result or a false result. Attackers exploit this behavior to obtain answers to true or false questions from the server. We call these techniques <strong><em>Blind Attacks</em></strong>. Even though blind LDAP Injection attacks aren’t as fast as classic ones, they are easy to implement. Why? Because they work on binary logic. Hackers use blind LDAP Injections to obtain sensitive information from the LDAP Directory.</p>





<h3 class="wp-block-heading">AND Blind LDAP Injection</h3>



<p>Imagine an online shop that can list all Puma shirts from an LDAP directory. But the error messages are not returned. This LDAP search filter gets sent:</p>



<p><strong><em>(&#038;(objectClass=Shirt)(type=Puma*))</em></strong></p>



<p>Any available Puma shirts are shown to the user as icons. If there are no Puma shirts available, the user won’t see any icons. This is where Blind LDAP Injection comes into play. <strong><em>“*)objectClass=*))(&#038;(objectClass=void” </em></strong>is injected and now the application constructs an LDAP query that looks like:</p>



<p><em>(&#038;(objectClass=*</em><strong><em>)(objectClass=*))(&#038;(objectClass=void)</em></strong><em>(type=Puma*))</em></p>



<p>The server process only the <em>(&#038;(objectClass=*)(objectClass=*)) </em>part of the LDAP filter. Now the shirt icon shows to the client. How so? The <em>objectClass=* </em>filter always returns an object. An icon showing means the response is true. Otherwise the response is false. The hackers now have the option of using blind injection techniques in many ways. An example of an injection:</p>



<p><em>(&#038;(objectClass=</em><strong><em>*)(objectClass=users))(&#038;(objectClass=foo</em></strong><em>)(type=Puma*))</em></p>



<p><em>(&#038;(objectClass=</em><strong><em>*)(objectClass=Resources))(&#038;(objectClass=foo</em></strong><em>)(type=Puma*))</em></p>



<p>Different <em>objectClass </em>values can be deduced with the help of these injections. If even a single shirt icon is shown, the <em>objectClass </em>value exists. Otherwise, the <em>objectClass </em>doesn’t exist. A hacker can obtain all sorts of information by using TRUE/FALSE questions via Blind LDAP injections.</p>



<h3 class="wp-block-heading">OR Blind LDAP Injection</h3>



<p>Injection in an OR environment looks like this:</p>



<p><em>(</em>|<em>(objectClass=</em><strong><em>void)(objectClass=void))(&#038;(objectClass=void</em></strong><em>)(type=Puma*))</em></p>



<p>This LDAP query doesn&#8217;t obtain any objects from the LDAP directory service. The shirt icon doesn’t get shown to the client, making it a FALSE response. If an icon is shown it is a TRUE response. In order to gather information the hacker will inject an LDAP filter like this one:</p>



<p><em>(</em>|<em>(objectClass=</em><strong><em>void)(objectClass=users))(&#038;(objectClass=void</em></strong><em>)(type=Puma*))</em></p>



<p><em>(</em>|<em>(objectClass=</em><strong><em>void)(objectClass=Resources))(&#038;(objectClass=void</em></strong><em>)(type=Puma*))</em></p>



<p>It’s the same thing as with the AND Blind Injection. Keep reading to see how you can protect yourself against LDAP vulnerabilities!</p>



<h2 class="wp-block-heading" id="ai">How to prevent LDAP vulnerabilities</h2>



<p>We’ve now reached the part of the blog where we tell you how to protect yourself against LDAP Injections. Unfortunately, firewalls and intrusion detection mechanisms will not help here as all of these attacks occur in the application layer. Your best option is to use minimum exposure points and minimum privileges principles. Those are some of the ways to minimize the danger of these threats. There are other options as well. To further mitigate the dangers of code injection techniques use these mechanisms:</p>



<ul class="wp-block-list">
<li>Static source code analysis</li>



<li>Defensive programming</li>



<li>Advanced input validation</li>



<li>Dynamic checks</li>
</ul>



<p>The most effective way of preventing LDAP Injection attacks is to sanitize and check variables. As variables are the building block of LDAP filters, hackers use special characters in parameters to create malicious injections. AND “&#038;”, OR “|”, NOT “!”, =, >=, <=, ~= are all operators that need to be filtered at the application layer to ensure they’re not used in Injection attacks.&nbsp;</p>



<p>All values which make the LDAP filter should be checked against a list of valid values in the Application Layer before the LDAP receives the query.</p>



<p>In summary, Part 1 and Part 2 cover the basics of LDAP Injections, explains how they work with detailed examples, and provides some prevention guidelines to protect yourself against these attack techniques.</p>
                    </div>
                </article>
                
	<nav class="navigation posts-navigation" aria-label="Posts">
		<h2 class="screen-reader-text">Posts navigation</h2>
		<div class="nav-links"><div class="nav-next"><a href="https://brightsec.com/blog/category/threats-and-vulnerabilities/page/10/" >Newer posts</a></div></div>
	</nav>    </div>
</main>


    <!-- Footer Section -->
    <footer class="footer-section">
        <div class="footer-container">
            <!-- Left Side - Content -->
            <div class="footer-content">
                <h2 class="footer-title">Schedule a call with Bright expert! </h2>
                <p class="footer-description">With a new age on LLM and Gen AI powered applications here on our doorstep</p>
                <div class="footer-buttons">
                                        <a href="https://brightsec.com/product/book-a-demo/" class="footer-btn footer-btn-primary">Book a Demo</a>
                    

                </div>
            </div>

            <!-- Right Side - Certification Logos -->
            <div class="footer-logos">
                <!-- First Row -->
                <div class="footer-logo-row">
                    					       <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/Group-3760935.png" alt="Cyber Essentials" class="footer-logo-item">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/Frame-1000002632.png" alt="Cyber Essentials" class="footer-logo-item">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/Group-3760933.png" alt="ISO 9001" class="footer-logo-item">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/image-33.png" alt="AICPA SOC" class="footer-logo-item">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/image-32.png" alt="Fortinet" class="footer-logo-item">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/Frame-1000002629.png" alt="ISO 27701" class="footer-logo-item">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/Layer_2.png" alt="GDPR" class="footer-logo-item">
                                    </div>

                <!-- Second Row -->
                <div class="footer-logo-row">
                                         <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/Group-3760935.png" alt="G2 High Performer" class="footer-logo-item small">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/Group-3760936.png" alt="G2 High Performer" class="footer-logo-item small">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/Group-3760937.png" alt="G2 High Performer" class="footer-logo-item small">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/Group-3760938.png" alt="G2 High Performer" class="footer-logo-item small">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/DynamicApplicationSecurityTestingDAST_HighPerformer_Enterprise_HighPerformer-1-1.png" alt="G2 High Performer Enterprise" class="footer-logo-item small">
                    <img src="https://brightsecurdev.wpenginepowered.com/wp-content/uploads/2025/12/DynamicApplicationSecurityTestingDAST_HighPerformer_HighPerformer-1-1.png" alt="G2 High Performer" class="footer-logo-item small">
                                    </div>
            </div>
        </div>
    </footer>

    <!-- Footer Menu Section -->
    <section class="footer-menu-section">
        <div class="footer-menu-container">
            <!-- Top Menu Grid -->
            <div class="footer-menu-top">
                <!-- Platform Column -->
                <div class="footer-menu-column platform">
                    <h3>Platform</h3>
                                            <ul id="menu-platform" class="menu"><li id="menu-item-9225" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-9225"><a href="https://brightsec.com/platform/integrations">Integrations</a></li>
<li id="menu-item-8529" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8529"><a href="https://brightsec.com/product/bright-star/">Bright STAR</a></li>
<li id="menu-item-9226" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-9226"><a href="https://brightsec.com/platform/dynamic-appsec">Dynamic AppSec</a></li>
</ul>                                    </div>

                <!-- Solutions Column -->
              
                <!-- Resources Column -->
                <div class="footer-menu-column resources">
                    <h3>Resources</h3>
                                            <ul id="menu-resources" class="menu"><li id="menu-item-9110" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-9110"><a href="https://brightsec.com/resources/blogs/">Blogs</a></li>
<li id="menu-item-4774" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-4774"><a href="https://docs.brightsec.com/docs/introducing-to-bright">Doc</a></li>
</ul>                                    </div>

                <!-- Company Column -->
                <div class="footer-menu-column company">
                    <h3>Company</h3>
                                            <ul id="menu-company" class="menu"><li id="menu-item-9773" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-9773"><a href="https://brightsec.com/company/about-us/">About Us</a></li>
<li id="menu-item-9939" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-9939"><a href="https://brightsec.com/company/contact-us/">Contact Us</a></li>
<li id="menu-item-4452" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-4452"><a href="https://brightsec.com/resources/case-studies/">Case Studies</a></li>
<li id="menu-item-9826" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-9826"><a href="https://brightsec.com/company/careers/">Careers</a></li>
<li id="menu-item-9938" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-9938"><a href="https://brightsec.com/company/bug-bounty-program/">Bug Bounty Program</a></li>
</ul>                    
                    <h3 style="margin-top: 24px;">Partners</h3>
                                            <ul id="menu-partners" class="menu"><li id="menu-item-9553" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-9553"><a href="https://brightsec.com/partners/">Become a partner</a></li>
</ul>                                    </div>

                <!-- Newsletter Column -->
                <div class="footer-newsletter">
                    <h3>Get our newsletter </h3>
          <style id="wpforms-css-vars-5108">
				#wpforms-5108 {
				--wpforms-field-size-input-height: 43px;
--wpforms-field-size-input-spacing: 15px;
--wpforms-field-size-font-size: 16px;
--wpforms-field-size-line-height: 19px;
--wpforms-field-size-padding-h: 14px;
--wpforms-field-size-checkbox-size: 16px;
--wpforms-field-size-sublabel-spacing: 5px;
--wpforms-field-size-icon-size: 1;
--wpforms-label-size-font-size: 16px;
--wpforms-label-size-line-height: 19px;
--wpforms-label-size-sublabel-font-size: 14px;
--wpforms-label-size-sublabel-line-height: 17px;
--wpforms-button-size-font-size: 17px;
--wpforms-button-size-height: 41px;
--wpforms-button-size-padding-h: 15px;
--wpforms-button-size-margin-top: 10px;
--wpforms-container-shadow-size-box-shadow: none;
			}
			</style><div class="wpforms-container wpforms-container-full wpforms-render-modern" id="wpforms-5108"><form id="wpforms-form-5108" class="wpforms-validate wpforms-form wpforms-ajax-form" data-formid="5108" method="post" enctype="multipart/form-data" action="/blog/category/threats-and-vulnerabilities/page/11/" data-token="be64d08a182121c511b246a253420713" data-token-time="1777657737"><noscript class="wpforms-error-noscript">Please enable JavaScript in your browser to complete this form.</noscript><div id="wpforms-error-noscript" style="display: none;">Please enable JavaScript in your browser to complete this form.</div><div class="wpforms-field-container"><div id="wpforms-5108-field_1-container" class="wpforms-field wpforms-field-email newsletter-form" data-field-id="1"><input type="email" id="wpforms-5108-field_1" class="wpforms-field-large wpforms-field-required" name="wpforms[fields][1]" placeholder="Email" spellcheck="false" aria-errormessage="wpforms-5108-field_1-error" required></div><div id="wpforms-5108-field_4-container" class="wpforms-field wpforms-field-checkbox" data-field-id="4"><fieldset><legend class="wpforms-field-label">Checkboxes <span class="wpforms-required-label" aria-hidden="true">*</span></legend><ul id="wpforms-5108-field_4" class="wpforms-field-required"><li class="choice-1 depth-1"><input type="checkbox" id="wpforms-5108-field_4_1" name="wpforms[fields][4][]" value="By submitting this form, you agree that Bright may store and process your personal information and contact you about requested content or services. You can unsubscribe anytime. Learn more in our &lt;a href=&quot;https://brightsec.com/privacy-policy-bright-security/&quot; target=&quot;_blank&quot;&gt;Privacy Policy.&lt;/a&gt;" aria-errormessage="wpforms-5108-field_4_1-error" required ><label class="wpforms-field-label-inline" for="wpforms-5108-field_4_1">By submitting this form, you agree that Bright may store and process your personal information and contact you about requested content or services. You can unsubscribe anytime. Learn more in our <a href="https://brightsec.com/privacy-policy-bright-security/" target="_blank">Privacy Policy.</a></label></li></ul></fieldset></div>		<div id="wpforms-5108-field_2-container"
			class="wpforms-field wpforms-field-text"
			data-field-type="text"
			data-field-id="2"
			>
			<label class="wpforms-field-label" for="wpforms-5108-field_2" >Checkboxes utm_medium utm_content</label>
			<input type="text" id="wpforms-5108-field_2" class="wpforms-field-medium" name="wpforms[fields][2]" >
		</div>
		<div id="wpforms-5108-field_6-container" class="wpforms-field wpforms-field-hidden utm_term" data-field-id="6"><input type="hidden" id="wpforms-5108-field_6" name="wpforms[fields][6]"></div><div id="wpforms-5108-field_7-container" class="wpforms-field wpforms-field-hidden utm_source" data-field-id="7"><input type="hidden" id="wpforms-5108-field_7" name="wpforms[fields][7]"></div><div id="wpforms-5108-field_8-container" class="wpforms-field wpforms-field-hidden utm_content" data-field-id="8"><input type="hidden" id="wpforms-5108-field_8" name="wpforms[fields][8]"></div><div id="wpforms-5108-field_9-container" class="wpforms-field wpforms-field-hidden utm_medium" data-field-id="9"><input type="hidden" id="wpforms-5108-field_9" name="wpforms[fields][9]"></div><div id="wpforms-5108-field_10-container" class="wpforms-field wpforms-field-hidden utm_gclid" data-field-id="10"><input type="hidden" id="wpforms-5108-field_10" name="wpforms[fields][10]"></div><script>
				( function() {
					const style = document.createElement( 'style' );
					style.appendChild( document.createTextNode( '#wpforms-5108-field_2-container { position: absolute !important; overflow: hidden !important; display: inline !important; height: 1px !important; width: 1px !important; z-index: -1000 !important; padding: 0 !important; } #wpforms-5108-field_2-container input { visibility: hidden; } #wpforms-conversational-form-page #wpforms-5108-field_2-container label { counter-increment: none; }' ) );
					document.head.appendChild( style );
					document.currentScript?.remove();
				} )();
			</script></div><!-- .wpforms-field-container --><div class="wpforms-submit-container" ><input type="hidden" name="wpforms[id]" value="5108"><input type="hidden" name="page_title" value="Threats and Vulnerabilities"><input type="hidden" name="page_url" value="https://brightsec.com/blog/category/threats-and-vulnerabilities/page/11/"><input type="hidden" name="url_referer" value=""><button type="submit" name="wpforms[submit]" id="wpforms-submit-5108" class="wpforms-submit" data-alt-text="Sending..." data-submit-text="Submit" aria-live="assertive" value="wpforms-submit">Submit</button><img src="https://brightsec.com/wp-content/plugins/wpforms/assets/images/submit-spin.svg" class="wpforms-submit-spinner" style="display: none;" width="26" height="26" alt="Loading"></div></form></div>  <!-- .wpforms-container -->

                   <!-- <p class="newsletter-disclaimer">
                        By submitting this form, you consent to allow Bright to store and process the personal information submitted and to contact you in regards to the content or services requested. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our privacy policy.-->
                    </p>
                </div>
            </div>

            <!-- Bottom Section -->
            <div class="footer-menu-bottom">
                <div class="footer-bottom-left">
                                        <img src="https://brightsec.com/wp-content/uploads/2026/03/logo-white.png" alt="Bright" class="footer-logo-bottom">
                    <span class="footer-copyright">All rights reserved © Bright Security 2026</span>
                    <div class="footer-bottom-links">
                        <span class="separator">✦</span>
                        <a href="https://brightsec.com/terms-of-service/">Terms of service</a>
                        <span class="separator red">✦</span>
                        <a href="https://brightsec.com/privacy-policy-bright-security">Privacy policy</a>
                        <span class="separator pink">✦</span>
                        <a href="https://brightsec.com/cookies-policy/">Cookies policy</a>
                    </div>
                </div>

                <div class="footer-social-icons">
                                    </div>
            </div>
        </div>
    </section>
<!--     <script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script>
    <script>
        hbspt.forms.create({
        portalId: "6358575",
        formId: "8b706c0e-c558-4d80-ba8c-36a9ef1222c0",
        region: "na1",
        target: "#hubspot-form-container" 
    });
    </script> -->
<!--blog Serch Js-->
<script>
jQuery(document).ready(function ($) {

  let timer = null;

  function loadBlogPosts(keyword = '', paged = 1, updateUrl = true) {
    $.ajax({
      url: 'https://brightsec.com/wp-admin/admin-ajax.php',
      type: 'POST',
      data: {
        action: 'blog_ajax_search',
        keyword: keyword,
        reset: keyword === '' ? 1 : 0,
        paged: paged
      },
      beforeSend: function () {
        $('#blog-grid').html('<p style="padding:20px">Loading...</p>');
      },
      success: function (response) {
        $('#blog-grid').html(response);

        if (updateUrl) {
          let newUrl = window.location.pathname;

          if (paged > 1) {
            newUrl = newUrl.replace(/\/page\/\d+\/?$/, '');
            newUrl = newUrl.replace(/\/$/, '');
            newUrl += '/page/' + paged + '/';
          } else {
            newUrl = newUrl.replace(/\/page\/\d+\/?$/, '/');
          }

          if (keyword !== '') {
            newUrl += '?search=' + encodeURIComponent(keyword);
          }

          window.history.pushState({}, '', newUrl);
        }

        $('html, body').animate({
          scrollTop: $('#blog-grid').offset().top - 120
        }, 400);
      }
    });
  }

  $(document).on('input', '#ajax-search-input', function () {
    clearTimeout(timer);
    let keyword = $(this).val().trim();

    timer = setTimeout(function () {
      loadBlogPosts(keyword, 1, true);
    }, 300);
  });

  $(document).on('click', '.b-lobby__posts-pagination a', function (e) {
    e.preventDefault();

    let keyword = $('#ajax-search-input').val().trim();
    let href = $(this).attr('href');
    let paged = 1;

    let match = href.match(/paged=([0-9]+)/);
    if (match && match[1]) {
      paged = parseInt(match[1]);
    } else {
      let pathMatch = href.match(/\/page\/([0-9]+)/);
      if (pathMatch && pathMatch[1]) {
        paged = parseInt(pathMatch[1]);
      }
    }

    loadBlogPosts(keyword, paged, true);
  });

});
</script>


<script>
(function () {

  function getParam(param) {
    return new URLSearchParams(window.location.search).get(param);
  }

  function setValue(className, paramName) {
    var field = document.querySelector('.' + className + ' input[type="hidden"]');
    if (!field) return;

    var value = getParam(paramName);
    if (value) {
      field.value = value;
    }
  }

  function fillUTMFields() {
    setValue('utm_source', 'utm_source');
    setValue('utm_medium', 'utm_medium');
    setValue('utm_term', 'utm_term');
    setValue('utm_content', 'utm_content');
    setValue('gclid', 'gclid');
  }

  document.addEventListener('DOMContentLoaded', function () {
    fillUTMFields();
    setTimeout(fillUTMFields, 1000);
    setTimeout(fillUTMFields, 3000);
  });

})();
</script>

<script type="speculationrules">
{"prefetch":[{"source":"document","where":{"and":[{"href_matches":"/*"},{"not":{"href_matches":["/wp-*.php","/wp-admin/*","/wp-content/uploads/*","/wp-content/*","/wp-content/plugins/*","/wp-content/themes/brightsecur-theme/*","/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]}
</script>
<script>
(function(){
  console.log('UTM Field Populator - WPForms Format - Starting...');
  
  function getCookie(name){
    var value = "; " + document.cookie;
    var parts = value.split("; " + name + "=");
    if(parts.length === 2) {
      var cookieValue = decodeURIComponent(parts.pop().split(";").shift());
      return cookieValue;
    }
    return '';
  }
  
  function populateFields(){
    console.log('Attempting to populate WPForms fields...');
    
    // Get all hidden input fields
    var allHiddenFields = document.querySelectorAll('input[type="hidden"]');
    
    // UTM cookie names
    var utmCookies = {
      'utm_source': getCookie('utm_source'),
      'utm_medium': getCookie('utm_medium'),
      'utm_campaign': getCookie('utm_campaign'),
      'utm_term': getCookie('utm_term'),
      'utm_content': getCookie('utm_content'),
      'landing_url': getCookie('landing_url')
    };
    
    // Loop through all hidden fields and check their IDs
    allHiddenFields.forEach(function(field){
      var fieldId = field.id.toLowerCase();
      var fieldName = field.name.toLowerCase();
      
      // Check if field ID or name contains UTM parameter name
      Object.keys(utmCookies).forEach(function(utmParam){
        var cookieValue = utmCookies[utmParam];
        
        if(cookieValue && (fieldId.includes(utmParam.replace('_', '')) || fieldName.includes(utmParam))){
          if(!field.value || field.value === ''){
            field.value = cookieValue;
            console.log('✓ Field populated: ' + field.name + ' = ' + cookieValue);
          }
        }
      });
    });
    
    console.log('UTM Field Populator - Complete');
  }
  
  // Wait for page to load
  if(document.readyState === 'loading'){
    document.addEventListener('DOMContentLoaded', function(){
      setTimeout(populateFields, 1500);
    });
  } else {
    setTimeout(populateFields, 1500);
  }
})();
</script><script>
document.addEventListener("DOMContentLoaded", function(){
    function getVal(name){
        return sessionStorage.getItem(name)
            || localStorage.getItem('brightsec_'+name)
            || (document.cookie.match(new RegExp('(^| )'+name+'=([^;]+)'))||[])[2]
            || '';
    }

    function fillAll(){
        var fields = ['utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content', 'utm_gclid', 'landing_url'];
        
        fields.forEach(function(f){
            var v = getVal(f);
            if(v){
                // WPForms ke liye sabse behtar selector jo container aur input dono check kare
                var selector = "input." + f + ", ." + f + " input, [class*='" + f + "'] input";
                var inputs = document.querySelectorAll(selector);
                
                inputs.forEach(function(el){
                    if(!el.value) { 
                        el.value = decodeURIComponent(v);
                        // Trigger events for WPForms tracking
                        el.dispatchEvent(new Event('input', { bubbles: true }));
                        el.dispatchEvent(new Event('change', { bubbles: true }));
                    }
                });
            }
        });
    }

    // Initial fill
    fillAll();

    // AJAX aur dynamic forms ke liye multiple attempts
    var attempts = 0;
    var timer = setInterval(function(){
        fillAll();
        attempts++;
        if(attempts > 10) clearInterval(timer);
    }, 500);

    // WPForms Specific event
    document.addEventListener("wpformsReady", fillAll);
});
</script>
<script type="text/javascript" id="wpm-switcher-block-script-js-extra">
/* <![CDATA[ */
var wpm_localize_data = {"wpm_block_switch_nonce":"58688a9090","ajax_url":"https://brightsec.com/wp-admin/admin-ajax.php","current_url":"https://brightsec.com/blog/category/threats-and-vulnerabilities/page/11/"};
//# sourceURL=wpm-switcher-block-script-js-extra
/* ]]> */
</script>
<script type="text/javascript" src="https://brightsec.com/wp-content/plugins/wp-multilang/assets/blocks/language-switcher/js/switcher-block.min.js?ver=2.4.26" id="wpm-switcher-block-script-js"></script>
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/css-mediaquery-polyfill" id="media-query-polyfill-js"></script>
<script type="text/javascript" src="https://brightsec.com/wp-content/plugins/wpforms/assets/lib/jquery.validate.min.js?ver=1.21.0" id="wpforms-validation-js"></script>
<script type="text/javascript" src="https://brightsec.com/wp-content/plugins/wpforms/assets/lib/mailcheck.min.js?ver=1.1.2" id="wpforms-mailcheck-js"></script>
<script type="text/javascript" src="https://brightsec.com/wp-content/plugins/wpforms/assets/lib/punycode.min.js?ver=1.0.0" id="wpforms-punycode-js"></script>
<script type="text/javascript" src="https://brightsec.com/wp-content/plugins/wpforms/assets/js/share/utils.min.js?ver=1.10.0.4" id="wpforms-generic-utils-js"></script>
<script type="text/javascript" src="https://brightsec.com/wp-content/plugins/wpforms/assets/js/frontend/wpforms.min.js?ver=1.10.0.4" id="wpforms-js"></script>
<script type="text/javascript" src="https://brightsec.com/wp-content/plugins/wpforms/assets/js/frontend/wpforms-modern.min.js?ver=1.10.0.4" id="wpforms-modern-js"></script>
<script type="text/javascript" src="https://brightsec.com/wp-content/plugins/wpforms/assets/js/frontend/fields/address.min.js?ver=1.10.0.4" id="wpforms-address-field-js"></script>
<script id="wp-emoji-settings" type="application/json">
{"baseUrl":"https://s.w.org/images/core/emoji/17.0.2/72x72/","ext":".png","svgUrl":"https://s.w.org/images/core/emoji/17.0.2/svg/","svgExt":".svg","source":{"concatemoji":"https://brightsec.com/wp-includes/js/wp-emoji-release.min.js?ver=6.9.4"}}
</script>
<script type="module">
/* <![CDATA[ */
/*! This file is auto-generated */
const a=JSON.parse(document.getElementById("wp-emoji-settings").textContent),o=(window._wpemojiSettings=a,"wpEmojiSettingsSupports"),s=["flag","emoji"];function i(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function c(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0);const a=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);return t.every((e,t)=>e===a[t])}function p(e,t){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var n=e.getImageData(16,16,1,1);for(let e=0;e<n.data.length;e++)if(0!==n.data[e])return!1;return!0}function u(e,t,n,a){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\udde8\ud83c\uddf6","\ud83c\udde8\u200b\ud83c\uddf6")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!a(e,"\ud83e\u1fac8")}return!1}function f(e,t,n,a){let r;const o=(r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):document.createElement("canvas")).getContext("2d",{willReadFrequently:!0}),s=(o.textBaseline="top",o.font="600 32px Arial",{});return e.forEach(e=>{s[e]=t(o,e,n,a)}),s}function r(e){var t=document.createElement("script");t.src=e,t.defer=!0,document.head.appendChild(t)}a.supports={everything:!0,everythingExceptFlag:!0},new Promise(t=>{let n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),c.toString(),p.toString()].join(",")+"));",a=new Blob([e],{type:"text/javascript"});const r=new Worker(URL.createObjectURL(a),{name:"wpTestEmojiSupports"});return void(r.onmessage=e=>{i(n=e.data),r.terminate(),t(n)})}catch(e){}i(n=f(s,u,c,p))}t(n)}).then(e=>{for(const n in e)a.supports[n]=e[n],a.supports.everything=a.supports.everything&&a.supports[n],"flag"!==n&&(a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&a.supports[n]);var t;a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&!a.supports.flag,a.supports.everything||((t=a.source||{}).concatemoji?r(t.concatemoji):t.wpemoji&&t.twemoji&&(r(t.twemoji),r(t.wpemoji)))});
//# sourceURL=https://brightsec.com/wp-includes/js/wp-emoji-loader.min.js
/* ]]> */
</script>
<!-- start Simple Custom CSS and JS -->
<script type="text/javascript">
	
					
jQuery(function($){


if(!$('body').hasClass('page-id-9806')){
return;
}

var per_page    = 9;
var currentSort = 'newest';
var currentYear = '';
var isLoading   = false;
var searchTimer;



function updateLoadMoreButton(){

var total = parseInt($('#news-total-posts').data('total')) || 0;
var max   = parseInt($('#news-total-posts').data('max')) || 1;

if(total == 0){
total = $('#news-post-wrap .res-card').length;
max   = Math.ceil(total / per_page);
}

var current = parseInt($('.page-numbers.current').text()) || 1;


(total > per_page && current < max) ? $('#load-more-post').show() : $('#load-more-post').hide();


(total > per_page) ? $('.case-pagination-items').show() : $('.case-pagination-items').hide();


(current >= max) ? $('.next').hide() : $('.next').show();


(current <= 1) ? $('.prev').hide() : $('.prev').show();

}



function rebuildPagination(page){

var max = parseInt($('#news-total-posts').data('max')) || 1;
var html = '';

if(max <= 1){
$('.b-lobby__posts-pagination').html('');
return;
}


if(page > 1){
html += '<a href="#" class="prev page-numbers">« Prev</a>';
}


for(var i=1;i<=max;i++){

if(i == page){
html += '<span class="page-numbers current">'+i+'</span>';
}else{
html += '<a href="#" class="page-numbers">'+i+'</a>';
}

}


if(page < max){
html += '<a href="#" class="next page-numbers">Next »</a>';
}

$('.b-lobby__posts-pagination').html(html);

}



function loadPosts(page,append){

if(isLoading) return false;
isLoading = true;

var keyword = $('#ajax-search-input').val() || '';

if(!append){
$('#news-post-wrap').html('<div style="padding:40px;text-align:center;">Loading...</div>');
}

$.ajax({

url:'/wp-admin/admin-ajax.php',
type:'POST',
cache:false,

data:{
action:'news_load_more',
page:page,
filter_year:currentYear,
sort:currentSort,
keyword:keyword,
time:new Date().getTime()
},

success:function(response){

response = $.trim(response);


var tempData = $('<div>' + response + '</div>');


var newPosts = tempData.find('.res-card');


var newTotal = tempData.find('#news-total-posts');


if(append){
$('#news-post-wrap').append(newPosts);
}else{
$('#news-post-wrap').html(newPosts);
}


$('#news-total-posts').remove();
$('#news-post-wrap').after(newTotal);


$('#load-more-post').attr('data-page',page);


rebuildPagination(page);


updateLoadMoreButton();

},

complete:function(){
isLoading = false;
}

});

}



$(document).on('click','.filter-options a[data-year]',function(e){

e.preventDefault();

if(isLoading) return false;

$('.filter-options a[data-year]').removeClass('active');
$(this).addClass('active');

currentYear = $(this).attr('data-year');

$('#load-more-post').attr('data-page',1);

loadPosts(1,false);

return false;

});



$(document).on('mousedown','.sort-options a[data-sort]',function(e){

e.preventDefault();

if(isLoading) return false;

$('.sort-options a[data-sort]').removeClass('active');
$(this).addClass('active');

currentSort = $(this).data('sort');

$('#load-more-post').attr('data-page',1);

loadPosts(1,false);

return false;

});



$(document).on('keyup','#ajax-search-input',function(){

clearTimeout(searchTimer);

searchTimer = setTimeout(function(){

$('#load-more-post').attr('data-page',1);

loadPosts(1,false);

},400);

});

$(document).on('search','#ajax-search-input',function(){

$('#load-more-post').attr('data-page',1);

loadPosts(1,false);

});



$(document).on('click','#load-more-post',function(e){

e.preventDefault();

if(isLoading) return false;

var page = parseInt($(this).attr('data-page')) || 1;
page++;

loadPosts(page,true);

return false;

});



$(document).on('click','.page-numbers',function(e){

var txt = $.trim($(this).text());


if($(this).hasClass('prev')){

e.preventDefault();

var current = parseInt($('.page-numbers.current').text()) || 1;

if(current > 1){
loadPosts(current - 1,false);
}

return false;

}


if($(this).hasClass('next')){

e.preventDefault();

var current = parseInt($('.page-numbers.current').text()) || 1;
var max = parseInt($('#news-total-posts').data('max')) || 1;

if(current < max){
loadPosts(current + 1,false);
}

return false;

}


if($.isNumeric(txt)){

e.preventDefault();

loadPosts(parseInt(txt),false);

return false;

}

});



$(window).on('load',function(){

setTimeout(function(){
updateLoadMoreButton();
},300);

});

});
</script>


 

<!-- end Simple Custom CSS and JS -->
<!-- start Simple Custom CSS and JS -->
<script type="text/javascript">
document.addEventListener('DOMContentLoaded', function () {

  const fakeNumbers = [
    '0000000000','1111111111','2222222222','3333333333','4444444444',
    '5555555555','6666666666','7777777777','8888888888','9999999999',
    '1234567890','0123456789','0987654321','1212121212','1010101010'
  ];

  // WPForms specific hook (AJAX safe)
  jQuery(document).on('wpformsBeforeSubmit', function (event, formData) {

    const form = formData.form[0];
    const phoneInput = form.querySelector('input[type="tel"]');
    if (!phoneInput) return;

    const phone = phoneInput.value.replace(/\D/g, '');

    let invalid =
      phone.length < 7 ||
      phone.length > 15 ||
      /^(\d)\1+$/.test(phone) ||
      fakeNumbers.includes(phone);

    if (invalid) {

      // 🚨 STOP SUBMIT (WPForms way)
      event.preventDefault();
      formData.abort = true;

      // Show error (WPForms style)
      let error = phoneInput.parentElement.querySelector('.wpforms-error');
      if (!error) {
        error = document.createElement('label');
        error.className = 'wpforms-error';
        phoneInput.parentElement.appendChild(error);
      }

      error.innerText = 'This phone number is not allowed.';
      phoneInput.classList.add('wpforms-error');
      phoneInput.focus();

      return false;
    }

  });

});
</script><!-- end Simple Custom CSS and JS -->
<script type='text/javascript'>
/* <![CDATA[ */
var wpforms_settings = {"val_required":"This field is required.","val_email":"Please enter a valid email address.","val_email_suggestion":"Did you mean {suggestion}?","val_email_suggestion_title":"Click to accept this suggestion.","val_email_restricted":"This email address is not allowed.","val_number":"Please enter a valid number.","val_number_positive":"Please enter a valid positive number.","val_minimum_price":"Amount entered is less than the required minimum.","val_confirm":"Field values do not match.","val_checklimit":"You have exceeded the number of allowed selections: {#}.","val_limit_characters":"{count} of {limit} max characters.","val_limit_words":"{count} of {limit} max words.","val_min":"Please enter a value greater than or equal to {0}.","val_max":"Please enter a value less than or equal to {0}.","val_recaptcha_fail_msg":"Google reCAPTCHA verification failed, please try again later.","val_turnstile_fail_msg":"Cloudflare Turnstile verification failed, please try again later.","val_inputmask_incomplete":"Please fill out the field in required format.","uuid_cookie":"1","locale":"en","country":"","country_list_label":"Country list","wpforms_plugin_url":"https:\/\/brightsec.com\/wp-content\/plugins\/wpforms\/","gdpr":"","ajaxurl":"https:\/\/brightsec.com\/wp-admin\/admin-ajax.php","mailcheck_enabled":"1","mailcheck_domains":[],"mailcheck_toplevel_domains":["dev"],"is_ssl":"1","currency_code":"USD","currency_thousands":",","currency_decimals":"2","currency_decimal":".","currency_symbol":"$","currency_symbol_pos":"left","val_requiredpayment":"Payment is required.","val_creditcard":"Please enter a valid credit card number.","css_vars":["field-border-radius","field-border-style","field-border-size","field-background-color","field-border-color","field-text-color","field-menu-color","label-color","label-sublabel-color","label-error-color","button-border-radius","button-border-style","button-border-size","button-background-color","button-border-color","button-text-color","page-break-color","background-image","background-position","background-repeat","background-size","background-width","background-height","background-color","background-url","container-padding","container-border-style","container-border-width","container-border-color","container-border-radius","field-size-input-height","field-size-input-spacing","field-size-font-size","field-size-line-height","field-size-padding-h","field-size-checkbox-size","field-size-sublabel-spacing","field-size-icon-size","label-size-font-size","label-size-line-height","label-size-sublabel-font-size","label-size-sublabel-line-height","button-size-font-size","button-size-height","button-size-padding-h","button-size-margin-top","container-shadow-size-box-shadow"],"val_post_max_size":"The total size of the selected files {totalSize} MB exceeds the allowed limit {maxSize} MB.","val_time12h":"Please enter time in 12-hour AM\/PM format (eg 8:45 AM).","val_time24h":"Please enter time in 24-hour format (eg 22:45).","val_time_limit":"Please enter time between {minTime} and {maxTime}.","val_url":"Please enter a valid URL.","val_fileextension":"File type is not allowed.","val_filesize":"File exceeds max size allowed. File was not uploaded.","post_max_size":"2147483648","isModernMarkupEnabled":"1","formErrorMessagePrefix":"Form error message","errorMessagePrefix":"Error message","submitBtnDisabled":"Submit button is disabled during form submission.","readOnlyDisallowedFields":["captcha","repeater","map","content","divider","hidden","html","entry-preview","pagebreak","layout","payment-total"],"error_updating_token":"Error updating token. Please try again or contact support if the issue persists.","network_error":"Network error or server is unreachable. Check your connection or try again later.","token_cache_lifetime":"86400","hn_data":{"5108":2},"address_field":{"list_countries_without_states":["GB","DE","CH","NL"]},"val_phone":"Please enter a valid phone number.","val_password_strength":"A stronger password is required. Consider using upper and lower case letters, numbers, and symbols.","entry_preview_iframe_styles":["https:\/\/brightsec.com\/wp-includes\/js\/tinymce\/skins\/lightgray\/content.min.css?ver=6.9.4","https:\/\/brightsec.com\/wp-includes\/css\/dashicons.min.css?ver=6.9.4","https:\/\/brightsec.com\/wp-includes\/js\/tinymce\/skins\/wordpress\/wp-content.css?ver=6.9.4","https:\/\/brightsec.com\/wp-content\/plugins\/wpforms\/assets\/pro\/css\/fields\/richtext\/editor-content.min.css"],"indicatorStepsPattern":"Step {current} of {total}"}
/* ]]> */
</script>
    <div id="bs-multi-mega" style="display:none;">

      <!-- STAR Wrapper -->
      <div class="bs-mega-wrap bs-star-wrap" role="dialog" aria-label="Star mega menu">
		  <div class="menu-sec">
		    <h4 class="overview" style="  border-bottom: 2px solid; border-image-source: linear-gradient(90.17deg, #DE6143 0.3%, #EC9EDD 69.08%);
  border-image-slice: 1; line-height: 30px;">Overview</h4>
        <div class="bs-star-banner">
            			<div class="start-col">
			   <a href="https://brightsec.com/product/bright-star/">
          <div class="title">STAR Page</div>
          <div class="desc"> The next-generation platform for DAST, IAST, and API security testing, with automated remediation to fix vulnerabilities instantly</div>
			</a></div>   <span class="chev-icon" style="color:#fff !important;">▶</span>
			  </div>

        <div class="bs-accordion">
                    <div class="bs-acc-row" tabindex="0" role="button" aria-controls="bs-panel-0">
            <div class="bs-acc-left"><a href="https://brightsec.com/product/bright-star/comparison/" class="bs-acc-heading"><h4>Comparison Page</h4><p>Compare Bright STAR with leading AppSec platforms and understand the technical differences across accuracy, speed, validation, and remediation workflows</p></a></div>
            <!--<div class="bs-chev" aria-hidden="true">+</div>-->
            
                            <!-- 👉 Submenu nahi hai → direct arrow -->
                <span class="chev-icon">▶</span>
                      </div>
          
                              <div class="bs-acc-row" tabindex="0" role="button" aria-controls="bs-panel-1">
            <div class="bs-acc-left"><a href="http://brightsec.com/product/bright-star/solutions/" class="bs-acc-heading"><h4>Solution Page</h4><p>Explore solutions for modern AppSec: Shift-Left security, API penetration testing, and integrating dynamic testing into your CI/CD.</p></a></div>
            <!--<div class="bs-chev" aria-hidden="true">+</div>-->
            
                            <!-- 👉 Submenu nahi hai → direct arrow -->
                <span class="chev-icon">▶</span>
                      </div>
          
                            </div>
		  </div>
      </div>

		
		
      <!-- Business Impact Wrapper -->
      		
      <!-- PLATFORM Wrapper -->
      <div class="bs-mega-wrap bs-platform-wrap" role="dialog" aria-label="Platform mega menu">
		  <div class="menu-sec">
        <div class="bs-grid">
                      <!-- LEFT Column -->
          <div class="bs-col-wide">
            <h4 style="border-bottom: 2px solid #E4CD64">Overview</h4>
            <ul class="bs-list">
                              <li><a href="https://brightsec.com/platform/dynamic-appsec"><div><strong>Dynamic Application Security Testing</strong><p>Dynamic AppSec platform that secures web applications, APIs, business logic, and LLMs, accelerating vulnerability resolution by up to 10X</p></div><span class="chev-icon">▶</span></a></li>
                              <li><a href="https://brightsec.com/platform/integrations/"><div><strong>Integrations</strong><p>Explore native integrations with your CI/CD, IDEs (VS Code, IntelliJ), ticketing (Jira), and source code management (GitHub, GitLab).</p></div><span class="chev-icon">▶</span></a></li>
                              <li><a href="https://brightsec.com/product/book-a-demo/"><div><strong>Book a Demo</strong><p></p></div><span class="chev-icon">▶</span></a></li>
                           </ul>
          </div>

          <!-- RIGHT Column -->
          
        </div>
		  </div>
      </div>

      <!-- RESOURCES Wrapper -->
      <div class="bs-mega-wrap bs-resources-wrap" role="dialog" aria-label="Resources mega menu">
		  <div class="menu-sec">
        <div class="bs-resources-grid">
                     <!-- LEFT: list -->
          <div class="bs-resources-left">
            <h4 class="overview" style="border-bottom: 2px solid #E48973;line-height: 30px;">Resources</h4>
            <ul class="bs-res-list">
                            <li><a href="https://brightsec.com/resources/blogs/"><div><strong>Blogs</strong><p>See how dev-centric DAST for the enterprise secures your business.</p></div><span class="chev-icon">▶</span></a></li>
                            <li><a href="https://docs.brightsec.com/docs/introducing-to-bright"><div><strong>Docs</strong><p>See how dev-centric DAST for the enterprise secures your business.</p></div><span class="chev-icon">▶</span></a></li>
                          </ul>
          </div>
          
          <!-- RIGHT: list (if any items right) -->
                    <div class="bs-resources-left"> <!-- Reuse left class for full width list style in right col -->
             <h4 class="overview" style="border-bottom: 2px solid #E48973;line-height: 30px;">&nbsp;</h4>
             <ul class="bs-res-list">
                            <li><a href="https://brightsec.com/resources/case-studies/"><div><strong>Case Studies</strong><p></p></div><span class="chev-icon">▶</span></a></li>
                          </ul>
          </div>
          
        </div>
		  </div>
      </div>



      <!-- COMPANY Wrapper -->
      <div class="bs-mega-wrap bs-company-wrap" role="dialog" aria-label="Company mega menu">
		  		  <div class="menu-sec">

        <div class="bs-company-grid" style="border-top: 2px solid #E784D5;">
                     <!-- LEFT column -->
          <div class="bs-col">
            <ul class="bs-list">
                            <li><a href="https://brightsec.com/company/about-us/"><div><strong>About us</strong><p> Who we are, where we came from, and our Bright vision for the future.</p></div><span class="chev-icon">▶</span></a></li>
                            <li><a href="https://brightsec.com/news/"><div><strong>News</strong><p>Bright news hot off the press.</p></div><span class="chev-icon">▶</span></a></li>
                            <li><a href="https://brightsec.com/company/contact-us/"><div><strong>Contact us</strong><p>Need some help getting started? Looking to collaborate? Talk to us.</p></div><span class="chev-icon">▶</span></a></li>
                          </ul>
          </div>

          <!-- RIGHT column -->
          <div class="bs-col">
            <ul class="bs-list">
                            <li><a href="https://brightsec.com/company/careers/"><div><strong>Careers</strong><p>Want to join the Bright team? See our open positions.</p></div><span class="chev-icon">▶</span></a></li>
                            <li><a href="https://brightsec.com/company/bug-bounty-program/"><div><strong>Bug Bounty</strong><p>Found a security issue or vulnerability we should hear about? Let us know!</p></div><span class="chev-icon">▶</span></a></li>
                          </ul>
          </div>

        </div>
		  </div>
      </div>

    </div>
    </body>
</html>

<!-- Cache served by breeze CACHE - Last modified: Fri, 01 May 2026 17:48:57 GMT -->

Table of Contents

Intro

What you need to verify a Prototype Pollution

What is susceptible to Prototype Pollution manipulation?

Property definition by path/location

Simple Example Prototype Pollution payloads

Polluting the DOM

Examples for vulnerable document.location parsers

XSS examples

How to popup an alert by altering __proto__?

Remediating this vulnerability:

This vulnerability can be fixed by:

Table of Contents

Intro

Importance

Attack

Recon

Exploitation

Additional tips

Remediation

Bright and Business Constraint Bypass

Table of Contents

Intro

Importance of XSS vulnerabilities

Some known XSS attacks in the wild

Types of XSS

Attacks

Let’s start with the basics

Finding possible injection points

Inspecting the elements and analyzing the reflection

Basic injections

Going crazy with the payloads

Polyglots

DOM XSS Example

How to popup an alert by altering proto?