Portswigger Academy Prototype pollution Labs

Introduction

What?

Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global prototypes, which may then be inherited by user-defined objects.

Why?

Depending on the exact logic of the application, prototype pollution can lead to practically all popular web vulnerabilities: remote code execution (RCE), cross-site scripting ( XSS ), SQL injection, and so on.

How?

• Prototype pollution

• DOM XSS via client-side prototype pollution

• DOM XSS via an alternative prototype pollution vector

• Client-side prototype pollution via flawed sanitization

• Client-side prototype pollution in third-party libraries

• Client-side prototype pollution via browser APIs

• Privilege escalation via server-side prototype pollution

• Detecting server-side prototype pollution without polluted property reflection

• Bypassing flawed input filters for server-side prototype pollution

• Remote code execution via server-side prototype pollution

• Exfiltrating sensitive data via server-side prototype pollution