exploiting-prototype-pollution-in-javascript

# Exploiting Prototype Pollution in JavaScript ## When to Use - When testing Node.js or JavaScript-heavy web applications - During assessment of APIs accepting deep-merged JSON objects - When testing client-side JavaScript frameworks for DOM XSS via prototype pollution - During code review of object merge/clone/extend operations - When evaluating npm packages for prototype pollution gadgets ## Prerequisites - Burp Suite with DOM Invader extension for client-side prototype pollution detection - Node.js development environment for server-side testing - Understanding of JavaScript prototype chain and object inheritance - Knowledge of common pollution gadgets (sources, sinks, and exploitable properties) - Prototype Pollution Gadgets Scanner Burp extension for server-side detection - Browser developer console for client-side prototype manipulation > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Workflow ### Step 1 — Identify Prototype Pollution Sources ```javascript // Client-side: Test URL-based sources // Navigate to: http://target.com/page?__proto__[polluted]=true // Or use constructor: http://target.com/page?constructor[prototype][polluted]=true // Check in browser console: console.log(({}).polluted); // If returns "true", pollution confirmed // Common URL-based pollution vectors: // ?__pr...