Get involved in the Burp challenge for opportunities to test your skills and win swag  –   Challenge me
  1. Web Security Academy
  2. Client-side prototype pollution

Client-side prototype pollution

Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global prototypes, which may then be inherited by user-defined objects.

In this topic, you'll learn how to identify client-side prototype pollution vulnerabilities and exploit them for DOM XSS. We'll cover both manual exploitation and how you can use DOM Invader to greatly simplify this process. As always, we've provided a number of deliberately vulnerable lab websites for you to practice on.

Client-side prototype pollution

JavaScript prototypes and inheritance

To understand how prototype pollution works, you'll need a basic understanding of JavaScript's object inheritance model. To help get you started, we've provided a summary of the essentials.

What is prototype pollution?

Once you've got a basic understanding of how prototypes and inheritance work in JavaScript, you're ready to start learning how this behavior can potentially be exploited by an attacker. In this section, we'll cover the basics of prototype pollution vulnerabilities, including how they arise and how they can lead to high-severity bugs like DOM XSS.

Finding client-side prototype pollution vulnerabilities

In this section, we'll walk you through the high-level process for finding prototype pollution vulnerabilities both manually and using DOM Invader. You'll also have the chance to practice this for yourself on some deliberately vulnerable labs.

Prototype pollution via browser APIs

In this section, you'll learn how to exploit a number of widespread prototype pollution gadgets in the JavaScript APIs provided by browsers. These can provide a simple means of bypassing flawed prototype pollution defences implemented by developers.

Preventing prototype pollution

In this section, we'll provide some guidance on how you can protect your own websites against prototype pollution vulnerabilities. We'll also use a lab to demonstrate a flawed approach to blocking prototype pollution sources.

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy
  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here