Prototype Pollution
IntermediateJavaScript's prototype chain can be weaponized. Pollute the prototype to escalate privileges, bypass auth checks, and then learn the defenses.
Progress:
1
Pollute the Prototype2
Exploit the Bypass3
Fix the Vulnerabilitymerge-service.js
// Vulnerable merge function
function merge(target, source) {
return Object.assign(target, source);
}
// User input merged into config
const config = {};
merge(config, userInput);
Prototype Chain State
Object.prototype.isAdmin = undefined
({}).isAdmin → undefined
Auth check simulation
const user = {}; // fresh object
if (user.isAdmin) {
grantAccess(); // would fail
}