Nodejs Prototype chain pollution analysis
What is? js Prototype ?
Can be js Prototype is understood as other OOP Class in language , But there are still subtle differences .
1. function F(){...}
2. var f = new F();
analysis :
1. Create a func F, At the same time, he created a F object ( This object defaults to next Object Prototype chain of , It can be understood as Object Instance object of ), And will F The constructor of points to function F(), At the same time, set internal properties prototype Point to the object F In itself .
2. When it comes to objects F Or function F When instantiating , Will create An instance object , At the same time, the instance object adds one by default __proto__ attribute , Point to F object .
What is? js Prototype chain ?
I see js Prototype , that js The prototype chain should be very clear ...( The dog's head lives : After all, it is impossible to tell the truth “ The prototype chain is the chain composed of prototypes !”
Prototype chain pollution is something ?
Think first :foo.__proto__ Pointing to Foo Class prototype. that , If we modify foo.__proto__ The value in , Is it possible to modify Foo Class? ?
Pictured , Create an object first a, And instantiate and assign to test1. Create another b object , hold test1 Of __proto__ Point to b object . But there seems to be no change ??? Prototype chain pollution is fake ?
see test1 The prototype of the , It has indeed become b ah , Why not b Properties of y Well ? In fact, this function is equivalent to a constructor , Inside this.y Only in its corresponding instantiated object . Change the chain directly , But this function did not execute , That is why the final display does not y attribute , As long as y Properties adding to b In the object 
Pictured , stay b Add a... To the prototype object z attribute ,test1 This attribute can be used in , So as to achieve the purpose of polluting the prototype chain .
How to use prototype chain pollution ?
In the final analysis, it is because of the modification __proto__ Attribute changes the prototype chain of the instance object . So we can see which operations will be modified __proto__ attribute , Generally, the operation attribute can also be in the form of array , Such as : test1['proto'] = xxx. Therefore, the most likely cause of prototype chain pollution is inseparable from the functions that operate the array .
There are merge,clone Such as function
Prototype chain pollution in ctf Use of
https://blog.happysec.cn/index/view/328.html
Reference resources P Divine masterpiece
Summary
- js Data analysis of prototype chain
- express Framework support according to Content-Type To parse the request Body, So it can be set conveniently payload
【web Security 】Nodejs More related articles on prototype chain pollution analysis
- redpwnctf-web-blueprint-javascript Prototype chain pollution learning summary
I saw it the other day redpwn One of them web topic ,node.js Of web, The knowledge involved is javascript Prototype chain pollution , I haven't touched much before js, And this hole seems to be relatively new , So record the learning process 1. This machine node.js Environmental Science ...
- On JavaScript Prototype chain pollution
18 year p Master gave some code audit questions on the knowledge planet , One of the difficulties is hard Of js subject (Thejs) For prototype chain pollution attack , At that time, I was too busy ( Actually, it's too delicious , Shed tears of unskilled ) I haven't read it carefully , Follow up p Master writes w ...
- Prototype chain pollution (Node.js Pollution ,javasrcipt Prototype chain pollution )
Learning links : https://www.jianshu.com/p/6e623e9debe3 About NJS https://xz.aliyun.com/t/7184 The related question is GYCTF ez_expr ...
- javascript Prototype chain pollution
principle ①javascript Constructor in is equivalent to class , And it can be instantiated ②javascript Every function of has a prototype attribute , The prototype used to point to this constructor is the same javascript Every instance object of ...
- JavaScript Prototype chain and its pollution
JavaScript Prototype chain and its pollution One . What is prototype chain ? 1.JavaScript in , If we want to define One class , Need to be define" Constructors " The way to define: functi ...
- The illustration JavaScript Prototype chain in
from :http://www.jianshu.com/p/a81692ad5b5d typeof obj and obj instanceof Type stay JavaScript in , We often use typeof o ...
- Nodejs- Prototype chain pollution
Prototype chain pollution javascript Prototype chain stay javascript in , The whole process of inheritance is called the prototype chain of this class . Every object has a prototype that points to it (prototype) Internal links to , This prototype object has its own prototype , One ...
- Learn from scratch Web And JS senior ( Two ) Prototype chain , Inheritance of prototypes
Hello everyone , Here is 「 Learn from scratch Web Series of tutorials 」, And update at the following address ...... github:https://github.com/Daotin/Web WeChat official account :Web At the top of the front end Blog Garden :ht ...
- 【nodejs principle & Source appreciation (3)】 Appreciate the surgical prototype chain processing art
Catalog One . summary Two . Basic knowledge of prototype chain 3、 ... and . Worker Class prototype chain processing Four . Instance generation 5、 ... and . Last question 6、 ... and . Some experience The sample code is hosted in :http://www.github.com/dashno ...
- 【nodejs principle & Source appreciation (3)】 Appreciate the surgical prototype chain processing art
[ Abstract ] Learn from classic code prototype machining The sample code is hosted in :http://www.github.com/dashnowords/blogs Good code is almost , Bad code has its own bad method . One . summary ...
Random recommendation
- [AR]ImageTarget( Image recognition )
ImageTarget Preface ImageTarget seeing the name of a thing one thinks of its function , It's image recognition , This article records the author's recent study vuforia Medium imageTarget Notes and experience . vuforia guide:https://l ...
- div,li,span Adaptive width wrapping problem
<ul class="news"> <li><span class="lbl"> Right alignment , The solution of line feed display </s ...
- hdu 4597 + uva 10891( A class of intervals dp)
Topic link :http://vjudge.net/problem/viewProblem.action?id=19461 Ideas : A class of classical game interval dp, We make dp[l][r] It means the player A From the interval [l, r] ...
- tomcat Cutting logs shell Script
#!/bin/bash cd /usr/tomcats/ d=`date +%F` m1=`date -d'1 month ago' +%F` ` do cd tomcat808"$i&qu ...
- php socket signal communication
Socket The extension is based on popular BSD sockets, Realized and socket The bottom interface of communication function , It can be treated like a client socket The server . Want to learn about a more general client socket Interface , Please have a look at stream_s ...
- Learn from scratch Xamarin.Forms( 5、 ... and ) skill
original text : Learn from scratch Xamarin.Forms( 5、 ... and ) skill because HTML5 To regulate in 2014 year 10 The month was finally finalized , company .net Fewer developers , At home and abroad, there are more mature UI frame . The rapid development of mobile phone software and hardware and so on , So I just ...
- web.xml Run sequence summary
In the whole order <context-param>--<listener>--<filter>--<servlet>. among , The sequences in the categories within are run . and < ...
- Linux What happened in -bash: syntax error near unexpected token `
Copyright notice : This article is an original blog article , No reprint without the permission of the blogger . stay Linux 5 When importing data in , The following error appears . -bash: syntax error near unexpected token `(' Checked ...
- [Swift]LeetCode1019. The next node in the linked list | Next Greater Node In Linked List
We are given a linked list with head as the first node. Let's number the nodes in the list: node_1, ...
- ordinary jvm An attempt to optimize
One .eclipse Startup optimization Found in daily development eclipse It starts very slowly , And it is also very important in the actual development , So try to optimize . Now? eclipse Is running on the jdk1.7 On . First we can see ecli ...
