Prototype pollution (against GSAP)

Hey everyone, I was doing bug bounting on HackerOne abd got invited to what looks to me like a good program for begginers since it doesn’t offer any bounties, there were not many found and the target had like 300 subdomains. It’s not my first program however it’s the first vulnerability I’m reporting.

So, I notice that they’re using a GSAP version that is vulnerable to prototype pollution (CVE-2020-28478).

I googled for a proof of concept and found one at [Synk]'s website (Prototype Pollution in gsap | CVE-2020-28478 | Snyk)

It’s this simple piece of code:

gsap.config({ autoSleep: JSON.parse('{"__proto__":{"__proto__":{"polluted":"yes"}}}') });
// gsap.defaults(JSON.parse('{"proto":{"polluted":"yes"}}'));

document.write('Polluted : ' + polluted);

I got really happy since it worked, wrote a nice report and and sent them, saying that possible types of attacks include DoS, RCE and Property Injection as I saw at Synk’s website.
The program is being managed by HackerOne themselves and the triage moderator asked me for a PoC related to the types of attacks above.

I learned some stuff about prototype pollution and, as of my understanding, unlesss there’s some sort of functions that would be used to either do some server-side work or at least trigger it, there’s no way of making it work?

Well, to summarize I would like to know your opinions or some guidance to exploit the vulnerability, possibly RCE since DoS is a sort of grey area because it can damage their uptime and I don’t think that would be professional or even ethical.

Thanks in advance :slight_smile: