{"id":27113000,"url":"https://github.com/joseph-martre/prototype-pollution-interactive-demo","last_synced_at":"2026-04-26T23:31:06.179Z","repository":{"id":286506808,"uuid":"961607680","full_name":"Joseph-Martre/prototype-pollution-interactive-demo","owner":"Joseph-Martre","description":"Interactive demo of a prototype pollution → XSS exploit in JavaScript","archived":false,"fork":false,"pushed_at":"2025-04-06T21:50:51.000Z","size":145,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-09T22:14:17.451Z","etag":null,"topics":["client-side","cybersecurity","demo","education","exploit","frontend-security","html-sanitization","infosec","interactive-demo","javascript","prototype-pollution","security","vulnerability","web-security","xss"],"latest_commit_sha":null,"homepage":"https://prototype-pollution-interactive-demo.netlify.app/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Joseph-Martre.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-04-06T21:18:33.000Z","updated_at":"2025-04-06T22:05:21.000Z","dependencies_parsed_at":"2025-04-06T22:35:27.213Z","dependency_job_id":null,"html_url":"https://github.com/Joseph-Martre/prototype-pollution-interactive-demo","commit_stats":null,"previous_names":["joseph-martre/prototype-pollution-interactive-demo"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Joseph-Martre%2Fprototype-pollution-interactive-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Joseph-Martre%2Fprototype-pollution-interactive-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Joseph-Martre%2Fprototype-pollution-interactive-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Joseph-Martre%2Fprototype-pollution-interactive-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Joseph-Martre","download_url":"https://codeload.github.com/Joseph-Martre/prototype-pollution-interactive-demo/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248119290,"owners_count":21050755,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["client-side","cybersecurity","demo","education","exploit","frontend-security","html-sanitization","infosec","interactive-demo","javascript","prototype-pollution","security","vulnerability","web-security","xss"],"created_at":"2025-04-07T02:38:09.583Z","updated_at":"2026-04-26T23:31:06.129Z","avatar_url":"https://github.com/Joseph-Martre.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🧪 Prototype Pollution XSS Demo\n\nThis project is an **interactive demonstration** of a client-side **Prototype Pollution** vulnerability, resulting in a bypass of a sanitized HTML allowlist and triggering **Cross-Site Scripting (XSS)**.\n\n🔗 **Live Demo**: https://prototype-pollution-interactive-demo.netlify.app/  \n📜 Licensed under [ISC](./LICENSE)\n\n---\n\n## 🚨 What It Shows\n\nPrototype pollution is a vulnerability unique to JavaScript that allows attackers to tamper with the default object prototype. This can lead to unexpected behavior and security flaws—such as:\n\n- Bypassing \\`Object.freeze\\`-based allowlists  \n- Triggering arbitrary script execution (\\`XSS\\`)  \n- Causing application crashes (DoS)  \n\nThis demo walks through:\n\n- The vulnerability basics  \n- Code examples of the pollution exploit  \n- Real-time, fake chat messages simulating an XSS attack  \n- HTML sanitization flaws stemming from polluted prototypes  \n\n---\n\n## 💡 Key Features\n\n- Fully interactive and intentionally vulnerable  \n- Highlighted code snippets using [highlight.js](https://highlightjs.org/)  \n- Realistic message board with tag-based HTML validation  \n- Custom \\`TAG_ALLOWLIST\\` that gets bypassed via pollution  \n- Modal dialog warning for unsafe markup  \n\n---\n\n## 🧱 Tech Stack\n\n- HTML / CSS / JS (Vanilla)  \n- Modern, responsive layout  \n\n---\n\n## ⚠️ Disclaimer\n\nThis project is **intentionally vulnerable** and is for **educational purposes only**.  \nDo not reuse this code in production environments.\n\n---\n\n## 🧠 Learn More\n\n- https://portswigger.net/web-security/prototype-pollution  \n- https://learn.snyk.io/lesson/prototype-pollution/?ecosystem=javascript  \n- https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/  \n\n---\n\nBuilt with ❤️ to help devs recognize sneaky JS security pitfalls.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoseph-martre%2Fprototype-pollution-interactive-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoseph-martre%2Fprototype-pollution-interactive-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoseph-martre%2Fprototype-pollution-interactive-demo/lists"}