1. Web Security Academy
  2. Prototype pollution
  3. Server-side vulnerabilities
  4. Lab

Lab: Exfiltrating sensitive data via server-side prototype pollution


This lab is built on Node.js and the Express framework. It is vulnerable to server-side prototype pollution because it unsafely merges user-controllable input into a server-side JavaScript object.

Due to the configuration of the server, it's possible to pollute Object.prototype in such a way that you can inject arbitrary system commands that are subsequently executed on the server.

To solve the lab:

  1. Find a prototype pollution source that you can use to add arbitrary properties to the global Object.prototype.
  2. Identify a gadget that you can use to inject and execute arbitrary system commands.
  3. Trigger remote execution of a command that leaks the contents of Carlos's home directory (/home/carlos) to the public Burp Collaborator server.
  4. Exfiltrate the contents of a secret file in this directory to the public Burp Collaborator server.
  5. Submit the secret you obtain from the file using the button provided in the lab banner.

In this lab, you already have escalated privileges, giving you access to admin functionality. You can log in to your own account with the following credentials: wiener:peter


When testing for server-side prototype pollution, it's possible to break application functionality or even bring down the server completely. If this happens to your lab, you can manually restart the server using the button provided in the lab banner. Remember that you're unlikely to have this option when testing real websites, so you should always use caution.

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy
  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here