Prototype pollution

What is prototype pollution? 0 of 1

What is prototype pollution? Get started

JavaScript prototypes and inheritance 0 of 8

What is an object in JavaScript?

What is an object in JavaScript? - Continued

What is a prototype in JavaScript?

How does object inheritance work in JavaScript?

How does object inheritance work in JavaScript? - Continued

The prototype chain

Accessing an object's prototype using __proto__

Modifying prototypes

How do prototype pollution vulnerabilities arise? 0 of 2

How do prototype pollution vulnerabilities arise?

How do prototype pollution vulnerabilities arise? - Continued

Prototype pollution sources 0 of 3

Prototype pollution sources

Prototype pollution via the URL

Prototype pollution via JSON input

Prototype pollution sinks 0 of 1

Prototype pollution sinks

Prototype pollution gadgets 0 of 2

Prototype pollution gadgets

Example of a prototype pollution gadget

Client-side prototype pollution 0 of 11

Finding client-side prototype pollution sources manually

Finding client-side prototype pollution sources using DOM Invader

Finding client-side prototype pollution gadgets manually

Finding client-side prototype pollution gadgets using DOM Invader

Lab: DOM XSS via client-side prototype pollution PRACTITIONER

Lab: DOM XSS via an alternative prototype pollution vector PRACTITIONER

Prototype pollution via the constructor

Bypassing flawed key sanitization

Lab: Client-side prototype pollution via flawed sanitization PRACTITIONER

Prototype pollution in external libraries

Lab: Client-side prototype pollution in third-party libraries PRACTITIONER

Prototype pollution via browser APIs 0 of 5

Prototype pollution via browser APIs

Prototype pollution via fetch()

Prototype pollution via fetch() - Continued

Prototype pollution via Object.defineProperty()

Lab: Client-side prototype pollution via browser APIs PRACTITIONER

Server-side prototype pollution 0 of 27

Server-side prototype pollution

Why is server-side prototype pollution more difficult to detect?

Detecting server-side prototype pollution via polluted property reflection

Detecting server-side prototype pollution via polluted property reflection - Continued

Lab: Privilege escalation via server-side prototype pollution PRACTITIONER

Detecting server-side prototype pollution without polluted property reflection

Status code override

Status code override - Continued

JSON spaces override

JSON spaces override - Continued

Charset override

Charset override - Continued

Lab: Detecting server-side prototype pollution without polluted property reflection PRACTITIONER

Scanning for server-side prototype pollution sources

Scanning for server-side prototype pollution sources - Continued

Bypassing input filters for server-side prototype pollution

Lab: Bypassing flawed input filters for server-side prototype pollution PRACTITIONER

Remote code execution via server-side prototype pollution

Identifying a vulnerable request

Identifying a vulnerable request - Continued

Remote code execution via child_process.fork()

Lab: Remote code execution via server-side prototype pollution PRACTITIONER

Remote code execution via child_process.execSync()

Remote code execution via child_process.execSync() - Continued

Preventing prototype pollution 0 of 5

Preventing prototype pollution vulnerabilities

Sanitizing property keys

Preventing changes to prototype objects

Preventing an object from inheriting properties

Using safer alternatives where possible

Contents

Get started: What is prototype pollution?