{"id":25065817,"url":"https://github.com/dubniczky/prototype-pollution","last_synced_at":"2026-04-30T10:37:21.285Z","repository":{"id":160045567,"uuid":"516329600","full_name":"dubniczky/Prototype-Pollution","owner":"dubniczky","description":"JavaScript Prototype Pollution Attack demo against a NodeJS Express server using Lodash","archived":false,"fork":false,"pushed_at":"2022-07-21T11:03:39.000Z","size":2199,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-31T13:33:02.043Z","etag":null,"topics":["demo","exploit","javascript","lodash","prototype-pollution","security","yarn-berry"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dubniczky.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-21T10:41:44.000Z","updated_at":"2024-07-18T13:55:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"636d0d49-9412-4507-9d67-fc02bd57dcf4","html_url":"https://github.com/dubniczky/Prototype-Pollution","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/dubniczky/Prototype-Pollution","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dubniczky%2FPrototype-Pollution","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dubniczky%2FPrototype-Pollution/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dubniczky%2FPrototype-Pollution/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dubniczky%2FPrototype-Pollution/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dubniczky","download_url":"https://codeload.github.com/dubniczky/Prototype-Pollution/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dubniczky%2FPrototype-Pollution/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32462304,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T22:27:22.272Z","status":"online","status_checked_at":"2026-04-30T02:00:05.929Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["demo","exploit","javascript","lodash","prototype-pollution","security","yarn-berry"],"created_at":"2025-02-06T19:45:06.928Z","updated_at":"2026-04-30T10:37:21.280Z","avatar_url":"https://github.com/dubniczky.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# JavaScript Prototype Pollution Attack\n\nJavaScript Prototype Pollution Attack demo against a NodeJS Express server using Lodash\n\n\u003cdiv align=\"center\"\u003e\n  \u003ca href=\"https://gitlab.com/richard-nagy/\"\u003e\n    \u003cimg src=\"https://media.githubusercontent.com/media/dubniczky/Prototype-Pollution/20a650ce06cf29977789c6e0665444b955366683/assets/logo.png\" alt=\"Avatar\" width=\"130\" height=\"150\"/\u003e\n  \u003c/a\u003e\n\u003c/div\u003e\n\n## Introduction\n\nPrototype Pollution is an injection attack targeting JavaScript runtimes. Using it, we may overwrite the default values of any object's properties in the running instance. This tampering may lead to controlling the logic of the application, crashing the server or remote code execution.\n\n## Server Requirements\n\n\u003e Please note that the program might work on earlier versions, but it has not been tested.\n\n### Using Docker-compose\n\n- Docker-compose `v1.29.2`\n- Docker `v4.7.1`\n\n### Using Manual Docker\n\n- Docker `v4.7.1`\n\n### Using Manual\n\n- NodeJS `v16.15.0`\n- Yarn `v3.2.1`\n\n\u003e The project uses yarn berry with plug'n'play to keep the packages locally since they contain vulnerabilities thus might be removed eventually.\n\n## Starting Server\n\n3 options are included, from simplest to longest:\n\n1. Using Docker-compose\n1. Manual Container building\n1. Manual installation and running\n\n### Docker Compose\n\n```bash\ndocker-compose up\n```\n\n### Manual Container\n\nBuild container\n\n```bash\ndocker build -t protopoll .\n```\n\nRun container\n\n```bash\ndocker run -p8080:8080 protopoll\n```\n\n### Manual\n\nInstall dependencies:\n\n```bash\nyarn install\n```\n\n\u003e If you don't have yarn installed: `npm install -g yarn`. You will need root privileges on Linux.\n\nStart\n\n```bash\nnode server\n```\n\n## Running the Exploit\n\n- Bash: `./exploit.sh`\n- PowerShell: `.\\exploit.ps1`\n- Python: `python exploit.py`\n- Rest Client: [extension link](https://marketplace.visualstudio.com/items?itemName=humao.rest-client)\n\n## Example run\n\nExample server run\n\n![example server run](/assets/example-server.png)\n\nExample exploit\n\n![example server run](/assets/example-exploit.png)\n\n## License\n\nStandard MIT license: [document](/LICENSE)\n\n## Disclaimer\n\nThis tool is intended for demonstrational purposes, so only use against your own systems or against ones you have authorization for. I take no responsibility for your actions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdubniczky%2Fprototype-pollution","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdubniczky%2Fprototype-pollution","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdubniczky%2Fprototype-pollution/lists"}