https://github.com/ericcornelissen/pp-runtime-gadgets
Gadgets in the JavaScript runtime based on the ECMAScript specification
https://github.com/ericcornelissen/pp-runtime-gadgets
javascript prototype-pollution
Last synced: 2 months ago
JSON representation
Gadgets in the JavaScript runtime based on the ECMAScript specification
- Host: GitHub
- URL: https://github.com/ericcornelissen/pp-runtime-gadgets
- Owner: ericcornelissen
- License: other
- Created: 2024-05-19T14:54:57.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2025-07-12T12:04:32.000Z (12 months ago)
- Last Synced: 2025-09-15T01:29:21.845Z (10 months ago)
- Topics: javascript, prototype-pollution
- Language: HTML
- Homepage: https://ericcornelissen.github.io/pp-runtime-gadgets/
- Size: 980 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
# Prototype Pollution affects the JavaScript Runtime
This repository aims to provide a list of JavaScript language functionality that
can be affected by prototype pollution.
## TODO
- [x] Manually check all 160 `Get(` in the [fixed spec reference].
- [ ] Double check all 160 `Get(` in the [fixed spec reference].
- [ ] Manually check other `Get(`-like functions in the [fixed spec reference].
- [ ] Replicate `Reflect.ownKeys`' gadget with other uses of
`[[OwnPropertyKeys]]`.
- [ ] Similar gadgets to those for `RegExp.prototype[@@match]` and
`RegExp.prototype[@@matchAll]` in other `RegExp.prototype` functions.
## Reproduce
To reproduce the results:
- for Node.js: `make test-node` (or `make test-node-docker`)
- for Deno: `make test-deno` (or `make test-deno-docker`)
- for Browsers: `make test-web` and open in a browser.
## Overview
The table below provides an overview of known functions affected by prototype
pollution in the JavaScript language, or _gadgets_. This list is not exhaustive
both in terms of affected APIs and usable properties.
All gadgets were tested on Node.js v24.0.1, Deno v1.46.1, Chromium (Desktop)
v136, and Firefox (Desktop) v138.
The "Score" is an attempt at capturing how easy it is to exploit the gadget in
an arbitrary program, lower is easier. The contributors to the score are defined
in the gadget PoC and the scoring system is defined in [`score.js`].
[`score.js`]: ./pocs/score.js
| API | Prop(s) | Score | Node.js | Deno | Chromium | Firefox |
| ----------------------------------- | ------------------------------------- | ----- | ------- | -------------- | ------------- | ------------- |
| `[[ToPrimitive]]` | [`'toString'`][o0002] | `3` | Yes | Yes | Yes | Yes |
| | [`'valueOf'`][o0003] | `3` | Yes | Yes | Yes | Yes |
| `new AggregateError` | [`'cause'`][o0080] | `0` | Yes | Yes | Yes | Yes |
| `new ArrayBuffer` | [`'maxByteLength'`][o0004] | `1` | Yes | Yes | Yes | Yes |
| `Array.from` | [``][o0044] | `2` | Yes | Yes | Yes | Yes |
| `Array.prototype.at` | [``][o0046] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.concat` | [`@@isConcatSpreadable`][o0088] | `5` | Yes | Yes | Yes | Yes |
| | [``][o0087] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.copyWithin` | [``][o0077] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.every` | [``][o0073] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.fill` | [``][o0054] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.filter` | [``][o0072] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.find` | [``][o0051] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.findIndex` | [``][o0048] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.findLast` | [``][o0050] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.findLastIndex` | [``][o0055] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.flat` | [``][o0089] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.flatMap` | [``][o0091] | `1` | Yes | Yes | Yes | Yes |
| | [``][o0092] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.forEach` | [``][o0090] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.includes` | [``][o0058] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.indexOf` | [``][o0094] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.join` | [``][o0052] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.lastIndexOf` | [``][o0095] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.map` | [``][o0096] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.pop` | [``][o0049] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.reduce` | [``][o0070] | `1` | Yes | Yes | Yes | Yes |
| | [``][o0097] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.reduceRight` | [``][o0074] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.reverse` | [``][o0098] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.shift` | [``][o0099] | `1` | Yes | Yes | Yes | Yes |
| | [``][o0056] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.slice` | [``][o0100] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.some` | [``][o0071] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.sort` | [``][o0057] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.splice` | [``][o0076] | `1` | Yes | Yes | Yes | Yes |
| | [``][o0101] | `1` | Yes | Yes | Yes | Yes |
| | [``][o0103] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.toLocaleString` | [``][o0102] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.toReversed` | [``][o0047] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.toSorted` | [``][o0059] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.toSpliced` | [``][o0053] | `1` | Yes | Yes | Yes | Yes |
| | [``][o0104] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.toString` | [`join`][o0093] | `5` | Yes | Yes | Yes | Yes |
| `Array.prototype.unshift` | [``][o0116] | `1` | Yes | Yes | Yes | Yes |
| `Array.prototype.with` | [``][o0045] | `1` | Yes | Yes | Yes | Yes |
| `new Error` | [`'cause'`][o0079] | `0` | Yes | Yes | Yes | Yes |
| `Function.prototype.apply` | [``][o0005] | `2` | Yes | Yes | Yes | Yes |
| `Function.prototype.bind` | [`'name'`][o0078] | `0` | No | No | No | No |
| `isNaN` | [`'valueOf'`][o0117] | `3` | Yes | Yes | Yes | Yes |
| `Iterator` | [`'done'`][o0032] | `2` | Yes | Yes | Yes | Yes |
| | [`'next'`][o0006] | `5` | Yes | Yes | Yes | Yes |
| | [`'return'`][o0064] | `5` | Yes | Yes | Yes | Yes |
| | [`'value'`][o0033] | `2` | Yes | Yes | Yes | Yes |
| `JSON.stringify` | [``][o0108] | `2` | Yes | Yes | Yes | Yes |
| | [`'toJSON'`][o0025] | `3` | Yes | Yes | Yes | Yes |
| `new Map` | [`0,1`][o0105] | `1` | Yes | Yes | Yes | Yes |
| `Object.defineProperties` | [`'configurable'`][o0109] | `0` | Yes | Yes | Yes | Yes |
| | [`'enumerable'`][o0110] | `0` | Yes | Yes | Yes | Yes |
| | [`'get'`][o0111] | `3` | Yes | Yes | Yes | Yes |
| | [`'set'`][o0112] | `3` | Yes | Yes | Yes | Yes |
| | [`'value'`][o0113] | `1` | Yes | Yes | Yes | Yes |
| | [`'writable'`][o0114] | `0` | Yes | Yes | Yes | Yes |
| `Object.defineProperty` | [`'configurable'`][o0007] | `0` | Yes | Yes | Yes | Yes |
| | [`'enumerable'`][o0008] | `0` | Yes | Yes | Yes | Yes |
| | [`'get'`][o0009] | `3` | Yes | Yes | Yes | Yes |
| | [`'set'`][o0010] | `3` | Yes | Yes | Yes | Yes |
| | [`'value'`][o0011] | `1` | Yes | Yes | Yes | Yes |
| | [`'writable'`][o0012] | `0` | Yes | Yes | Yes | Yes |
| `Object.entries` | [`'enumerable'`][o0013] | `2` | Yes | Yes | Yes | Yes |
| `Object.fromEntries` | [`0,1`][o0014] | `1` | Yes | Yes | Yes | Yes |
| `Object.keys` | [`,'enumerable'`][o0115] | `5` | Yes | Yes | Yes | Yes |
| | [`'enumerable'`][o0015] | `3` | Yes | Yes | Yes | Yes |
| `Object.prototype.toString` | [`@@toStringTag`][o0034] | `3` | Yes | Yes | Yes | Yes |
| `Object.values` | [`'enumerable'`][o0016] | `3` | Yes | Yes | Yes | Yes |
| `new Proxy` | [`'apply'`][o0040] | `3` | Yes | Yes | Yes | Yes |
| | [`'construct'`][o0065] | `3` | Yes | Yes | Yes | Yes |
| | [`'defineProperty'`][o0067] | `3` | Yes | Yes | Yes | Yes |
| | [`'deleteProperty'`][o0041] | `3` | Yes | Yes | Yes | Yes |
| | [`'getOwnPropertyDescriptor'`][o0038] | `3` | Yes | Yes | Yes | Yes |
| | [`'isExtensible'`][o0042] | `3` | Yes | Yes | Yes | Yes |
| | [`'ownKeys'`][o0037] | `3` | Yes | Yes | Yes | Yes |
| | [`'preventExtensions'`][o0069] | `3` | Yes | Yes | Yes | Yes |
| | [`'set'`][o0036] | `3` | Yes | Yes | Yes | Yes |
| | [`'setPrototypeOf'`][o0075] | `3` | Yes | Yes | Yes | Yes |
| `Reflect.apply` | [``][o0017] | `2` | Yes | Yes | Yes | Yes |
| `Reflect.construct` | [``][o0018] | `2` | Yes | Yes | Yes | Yes |
| `Reflect.defineProperty` | [`'configurable'`][o0026] | `0` | Yes | Yes | Yes | Yes |
| | [`'enumerable'`][o0027] | `0` | Yes | Yes | Yes | Yes |
| | [`'get'`][o0028] | `3` | Yes | Yes | Yes | Yes |
| | [`'set'`][o0029] | `3` | Yes | Yes | Yes | Yes |
| | [`'value'`][o0030] | `1` | Yes | Yes | Yes | Yes |
| | [`'writable'`][o0031] | `0` | Yes | Yes | Yes | Yes |
| `Reflect.ownKeys` | [``][o0001] | `5` | Yes | Yes | Yes | Yes |
| `new RegExp` | [`'source'`][o0039] | `2` | Yes | Yes | Yes | Yes |
| `RegExp.prototype[@@match]` | [`0`][o0084] | `2` | Yes | Yes | Yes | Yes |
| | [`'exec'`][o0066] | `2` | Yes | Yes | Yes | Yes |
| | [`'flags'`][o0082] | `2` | Yes | No | Yes | Yes |
| | [`'global'`][o0083] | `2` | No | Yes | No | No |
| `RegExp.prototype[@@matchAll]` | [`'flags'`][o0086] | `2` | Yes | Yes | Yes | Yes |
| | [`'lastIndex'`][o0085] | `2` | Yes | Yes | Yes | Yes |
| `new SharedArrayBuffer` | [`'maxByteLength'`][o0019] | `1` | Yes | Yes | _Unsupported_ | _Unsupported_ |
| `Set.prototype.difference` | [`'has','size'`][o0063] | `3` | Yes | Yes | Yes | Yes |
| `Set.prototype.intersection` | [`'has','size'`][o0061] | `3` | Yes | Yes | Yes | Yes |
| `Set.prototype.isDisjointFrom` | [`'has','size'`][o0062] | `3` | Yes | Yes | Yes | Yes |
| `Set.prototype.isSubsetOf` | [`'has','size'`][o0106] | `3` | Yes | Yes | Yes | Yes |
| `Set.prototype.isSupersetOf` | [`'has','size'`][o0107] | `3` | Yes | Yes | Yes | Yes |
| `Set.prototype.symmetricDifference` | [`'has','size'`][o0060] | `3` | Yes | Yes | Yes | Yes |
| `Set.prototype.union` | [`'has','size'`][o0035] | `3` | Yes | Yes | Yes | Yes |
| `String.prototype.endsWith` | [`@@match`][o0020] | `5` | Yes | Yes | Yes | Yes |
| `String.prototype.includes` | [`@@match`][o0021] | `5` | Yes | Yes | Yes | Yes |
| `String.prototype.matchAll` | [`@@match,@@matchAll,'flags'`][o0022] | `8` | Yes | Yes | Yes | Yes |
| `String.prototype.replaceAll` | [`@@match,@@replace,'flags'`][o0023] | `8` | Yes | Yes | Yes | Yes |
| `String.prototype.startsWith` | [`@@match`][o0024] | `5` | Yes | Yes | Yes | Yes |
| `String.raw` | [`'raw'`][o0081] | `2` | Yes | Yes | Yes | Yes |
| `TypedArray.from` | [``][o0068] | `2` | Yes | Yes | Yes | Yes |
| `with` | [`@@unscopables`][o0043] | `3` | Yes | _Unsupported_ | Yes | Yes |
where:
- `/[0-9]+/`: is a specific numeric property.
- `/'.+?'/`: is a specific string property.
- `/@@.+?/`: is a specific [well-known symbol].
- ``: is any numeric property.
- ``: is any property.
notes:
- `Array.prototype[*]` gadgets generally should also work on their TypedArray
equivalent.
- `Iterator[*]` gadgets generally should also work on their async equivalent.
[o0001]: ./pocs/[[OwnPropertyKeys]]-.PoC.js
[o0002]: ./pocs/[[ToPrimitive]]-toString.PoC.js
[o0003]: ./pocs/[[ToPrimitive]]-valueOf.PoC.js
[o0004]: ./pocs/ArrayBuffer-maxByteLength.PoC.js
[o0005]: ./pocs/FunctionPrototypeApply-.PoC.js
[o0006]: ./pocs/Iterator-next.PoC.js
[o0007]: ./pocs/ObjectDefineProperty-configurable.PoC.js
[o0008]: ./pocs/ObjectDefineProperty-enumerable.PoC.js
[o0009]: ./pocs/ObjectDefineProperty-get.PoC.js
[o0010]: ./pocs/ObjectDefineProperty-set.PoC.js
[o0011]: ./pocs/ObjectDefineProperty-value.PoC.js
[o0012]: ./pocs/ObjectDefineProperty-writable.PoC.js
[o0013]: ./pocs/ObjectEntries-enumerable.PoC.js
[o0014]: ./pocs/ObjectFromEntries-0,1.PoC.js
[o0015]: ./pocs/ObjectKeys-enumerable.PoC.js
[o0016]: ./pocs/ObjectValues-enumerable.PoC.js
[o0017]: ./pocs/ReflectApply-.PoC.js
[o0018]: ./pocs/ReflectConstruct-.PoC.js
[o0019]: ./pocs/SharedArrayBuffer-maxByteLength.PoC.js
[o0020]: ./pocs/StringPrototypeEndsWith-@@match.PoC.js
[o0021]: ./pocs/StringPrototypeIncludes-@@match.PoC.js
[o0022]: ./pocs/StringPrototypeMatchAll-@@match,@@matchAll,flag.PoC.js
[o0023]: ./pocs/StringPrototypeReplaceAll-@@match,@@replace,flag.PoC.js
[o0024]: ./pocs/StringPrototypeStartsWith-@@match.PoC.js
[o0025]: ./pocs/JSONStringify-toJSON.PoC.js
[o0026]: ./pocs/ReflectDefineProperty-configurable.PoC.js
[o0027]: ./pocs/ReflectDefineProperty-enumerable.PoC.js
[o0028]: ./pocs/ReflectDefineProperty-get.PoC.js
[o0029]: ./pocs/ReflectDefineProperty-set.PoC.js
[o0030]: ./pocs/ReflectDefineProperty-value.PoC.js
[o0031]: ./pocs/ReflectDefineProperty-writable.PoC.js
[o0032]: ./pocs/Iterator-done.PoC.js
[o0033]: ./pocs/Iterator-value.PoC.js
[o0034]: ./pocs/ObjectToString-@@toStringTag.PoC.js
[o0035]: ./pocs/SetPrototypeUnion-has,size.PoC.js
[o0036]: ./pocs/Proxy-set.PoC.js
[o0037]: ./pocs/Proxy-ownKeys.PoC.js
[o0038]: ./pocs/Proxy-getOwnPropertyDescriptor.PoC.js
[o0039]: ./pocs/RegExp-source.PoC.js
[o0040]: ./pocs/Proxy-apply.PoC.js
[o0041]: ./pocs/Proxy-deleteProperty.PoC.js
[o0042]: ./pocs/Proxy-isExtensible.PoC.js
[o0043]: ./pocs/with-@@unscopables.PoC.cjs
[o0044]: ./pocs/ArrayFrom-.PoC.js
[o0045]: ./pocs/ArrayPrototypeWith-.PoC.js
[o0046]: ./pocs/ArrayPrototypeAt-.PoC.js
[o0047]: ./pocs/ArrayPrototypeToReversed-.PoC.js
[o0048]: ./pocs/ArrayPrototypeFindIndex-.PoC.js
[o0049]: ./pocs/ArrayPrototypePop-.PoC.js
[o0050]: ./pocs/ArrayPrototypeFindLast-.PoC.js
[o0051]: ./pocs/ArrayPrototypeFind-.PoC.js
[o0052]: ./pocs/ArrayPrototypeJoin-.PoC.js
[o0053]: ./pocs/ArrayPrototypeToSpliced-.PoC-1.js
[o0054]: ./pocs/ArrayPrototypeFill-.PoC.js
[o0055]: ./pocs/ArrayPrototypeFindLastIndex-.PoC.js
[o0056]: ./pocs/ArrayPrototypeShift-.PoC-1.js
[o0057]: ./pocs/ArrayPrototypeSort-.PoC.js
[o0058]: ./pocs/ArrayPrototypeIncludes-.PoC.js
[o0059]: ./pocs/ArrayPrototypeToSorted-.PoC.js
[o0060]: ./pocs/SetPrototypeSymmetricDifference-has,size.PoC.js
[o0061]: ./pocs/SetPrototypeIntersection-has,size.PoC.js
[o0062]: ./pocs/SetPrototypeIsDisjointFrom-has,size.PoC.js
[o0063]: ./pocs/SetPrototypeDifference-has,size.PoC.js
[o0064]: ./pocs/Iterator-return.PoC.js
[o0065]: ./pocs/Proxy-construct.PoC.js
[o0066]: ./pocs/RegExpPrototype@@match-exec.PoC.js
[o0067]: ./pocs/Proxy-defineProperty.PoC.js
[o0068]: ./pocs/TypedArrayFrom-.PoC.js
[o0069]: ./pocs/Proxy-preventExtensions.PoC.js
[o0070]: ./pocs/ArrayPrototypeReduce-.PoC-1.js
[o0071]: ./pocs/ArrayPrototypeSome-.PoC.js
[o0072]: ./pocs/ArrayPrototypeFilter-.PoC.js
[o0073]: ./pocs/ArrayPrototypeEvery-.PoC.js
[o0074]: ./pocs/ArrayPrototypeReduceRight-.PoC.js
[o0075]: ./pocs/Proxy-setPrototypeOf.PoC.js
[o0076]: ./pocs/ArrayPrototypeSplice-.PoC-1.js
[o0077]: ./pocs/ArrayPrototypeCopyWithin-.PoC.js
[o0078]: ./pocs/FunctionPrototypeBind-name.PoC.js
[o0079]: ./pocs/Error-cause.PoC.js
[o0080]: ./pocs/AggregateError-cause.PoC.js
[o0081]: ./pocs/StringRaw-raw.PoC.js
[o0082]: ./pocs/RegExpPrototype@@match-flags.PoC.js
[o0083]: ./pocs/RegExpPrototype@@match-global.PoC.js
[o0084]: ./pocs/RegExpPrototype@@match-0.PoC.js
[o0085]: ./pocs/RegExpPrototype@@matchAll-lastIndex.PoC.js
[o0086]: ./pocs/RegExpPrototype@@matchAll-flags.PoC.js
[o0087]: ./pocs/ArrayPrototypeConcat-.PoC.js
[o0088]: ./pocs/ArrayPrototypeConcat-@@isConcatSpreadable.PoC.js
[o0089]: ./pocs/ArrayPrototypeFlat-.PoC.js
[o0090]: ./pocs/ArrayPrototypeForEach-.PoC.js
[o0091]: ./pocs/ArrayPrototypeFlatMap-.PoC-1.js
[o0092]: ./pocs/ArrayPrototypeFlatMap-.PoC-2.js
[o0093]: ./pocs/ArrayPrototypeToString-join.PoC.js
[o0094]: ./pocs/ArrayPrototypeIndexOf-.PoC.js
[o0095]: ./pocs/ArrayPrototypeLastIndexOf-.PoC.js
[o0096]: ./pocs/ArrayPrototypeMap-.PoC.js
[o0097]: ./pocs/ArrayPrototypeReduce-.PoC-2.js
[o0098]: ./pocs/ArrayPrototypeReverse-.PoC.js
[o0099]: ./pocs/ArrayPrototypeShift-.PoC-2.js
[o0100]: ./pocs/ArrayPrototypeSlice-.PoC.js
[o0101]: ./pocs/ArrayPrototypeSplice-.PoC-2.js
[o0102]: ./pocs/ArrayPrototypeToLocaleString-.PoC.js
[o0103]: ./pocs/ArrayPrototypeSplice-.PoC-3.js
[o0104]: ./pocs/ArrayPrototypeToSpliced-.PoC-2.js
[o0105]: ./pocs/Map-0,1.PoC.js
[o0106]: ./pocs/SetPrototypeIsSubsetof-has,size.PoC.js
[o0107]: ./pocs/SetPrototypeIsSupersetOf-has,size.PoC.js
[o0108]: ./pocs/JSONStringify-.PoC.js
[o0109]: ./pocs/ObjectDefineProperties-configurable.PoC.js
[o0110]: ./pocs/ObjectDefineProperties-enumerable.PoC.js
[o0111]: ./pocs/ObjectDefineProperties-get.PoC.js
[o0112]: ./pocs/ObjectDefineProperties-set.PoC.js
[o0113]: ./pocs/ObjectDefineProperties-value.PoC.js
[o0114]: ./pocs/ObjectDefineProperties-writable.PoC.js
[o0115]: ./pocs/ObjectKeys-,enumerable.PoC.js
[o0116]: ./pocs/ArrayPrototypeUnshift-.PoC.js
[o0117]: ./pocs/isNan-valueOf.PoC.js
## Unaffected
The table below lists evaluated sections in the ECMAScript spec which were
deemed unaffected by prototype pollution.
| API | Property | Reason |
| -------------------------------------- | --------------- | ------------------------------------------------------------------------------------------------------------------------ |
| [`[[DefineOwnProperty]]`][i0008] | `` | _Not evaluated_ |
| [`[[Get]]`][i0009] | `` | _Not evaluated_ |
| [`[[GetOwnProperty]]`][i0007] | `` | _Not evaluated_ |
| [`ArraySpeciesCreate`][i0006] | `'constructor'` | Object on which lookup should happen must be an array, which means it must have a `constructor` property. |
| | `@@species` | Object on which lookup should happen must be an array constructor, which means it must have a `@@species` property. |
| [`Array.prototype.reduceRight`][i0019] | `` | Cannot affect initial value because the last index necessarily coincides with the array length. |
| [`HasBinding`][i0003] | `@@unscopable` | _Not evaluated_ |
| | `` | _Not evaluated_ |
| [`CopyDataProperties`][i0001] | `` | Implementation should `ToObject` the subject, hence all own keys are actually own keys. |
| [`CreateRegExpStringIterator`][i0018] | `0` | Only ever invoked on a properly constructed RegExp, meaning `0` is always defined. |
| | `'lastIndex'` | This property is explicitly set in all functions calling this abstract operation. |
| [`Error.prototype.toString`][i0014] | `'name'` | `this` will realistically only be an instance of Error, in which case `name` is defined on `Error.prototype`. |
| | `'message'` | `this` will realistically only be an instance of Error, in which case `message` is defined on `Error.prototype`. |
| [`Function.prototype.bind`][i0013] | `'length'` | It is checked that the property is an own property before it is accessed. |
| [`GetBindingValue`][i0004] | `` | Checks `HasProperty` before `Get`. |
| [`GetPrototypeFromConstructor`][i0005] | `'prototype'` | Object on which lookup should happen must be a callable, which means it must have a `prototype` property. |
| [`GetSubstitution`][i0015] | `` | Getting properties on the `namedCapture` object which always has a `null` prototype. |
| [`Object.assign`][i0010] | `` | Will only access keys in the `[[OwnPropertyKeys]]` set. |
| `Object.freeze` | [``][i0022] | - |
| `Object.seal` | [``][i0021] | - |
| [`ObjectDefineProperties`][i0011] | `` | Will only access keys in the `[[OwnPropertyKeys]]` set. |
| [`OrdinaryHasInstance`][i0002] | `'prototype'` | Object on which lookup should happen must be a callable, which means it must have a `prototype` property. |
| [`PromiseResolve`][i0020] | `'constructor'` | It is checked that `x` is a `Promise`. |
| [`RegExpBuiltinExec`][i0017] | `'lastIndex'` | `R` is only ever an initialized RegExp. |
| [`RegExp.prototype.toString`][i0012] | `'source'` | `this` will realistically only be an instance of RegExp, in which case `source` is always defined. |
| | `'flags'` | `this` will realistically only be an instance of RegExp, in which case `flags` is always defined. |
| [`RegExp.prototype[@@match]`][i0016] | `'unicode'` | Only affects `lastIndex` incrementing, effect depends on user implementation (Note: may be accessed instead of "flags"). |
| | `'unicodeSets'` | Only affects `lastIndex` incrementing, effect depends on user implementation (Note: may be accessed instead of "flags"). |
[i0001]: https://tc39.es/ecma262/#sec-copydataproperties
[i0002]: https://tc39.es/ecma262/#sec-ordinaryhasinstance
[i0003]: https://tc39.es/ecma262/#sec-object-environment-records-hasbinding-n
[i0004]: https://tc39.es/ecma262/#sec-object-environment-records-getbindingvalue-n-s
[i0005]: https://tc39.es/ecma262/#sec-getprototypefromconstructor
[i0006]: https://tc39.es/ecma262/#sec-arrayspeciescreate
[i0007]: https://tc39.es/ecma262/#sec-arguments-exotic-objects-getownproperty-p
[i0008]: https://tc39.es/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc
[i0009]: https://tc39.es/ecma262/#sec-arguments-exotic-objects-get-p-receiver
[i0010]: https://tc39.es/ecma262/#sec-object.assign
[i0011]: https://tc39.es/ecma262/#sec-objectdefineproperties
[i0012]: https://tc39.es/ecma262/#sec-regexp.prototype.tostring
[i0013]: https://tc39.es/ecma262/#sec-function.prototype.bind
[i0014]: https://tc39.es/ecma262/#sec-error.prototype.tostring
[i0015]: https://tc39.es/ecma262/#sec-getsubstitution
[i0016]: https://tc39.es/ecma262/#sec-regexp.prototype-%symbol.match%
[i0017]: https://tc39.es/ecma262/#sec-regexpbuiltinexec
[i0018]: https://tc39.es/ecma262/#sec-createregexpstringiterator
[i0019]: https://tc39.es/ecma262/#sec-array.prototype.reduceright
[i0020]: https://tc39.es/ecma262/#sec-array.prototype.reduceright
[i0021]: ./pocs/ObjectSeal-.PoC.js
[i0022]: ./pocs/ObjectFreeze-.PoC.js
## Methodology
Two approaches have been used to compile the list of usable and unusable runtime
gadgets.
### Manual (in progress)
A manual review of the ECMAScript [spec] has been conducted, specifically
looking for use of the `Get(O, P)` function. This function gets property `P`
from object `O`, hence if `P` is missing from `O` the lookup could be affected
by prototype pollution.
During manual testing, a proxy object like the one shown below is used to find
out what properties are being looked up exactly.
```javascript
const proxy = new Proxy({}, {
get(target, property, _receiver) {
if (!Object.hasOwn(target, property)) {
console.log("looked up:", property);
}
return target[property];
},
});
```
### `tc39/test262`
The [tc39/test262] suite is an extensive conformance test suite for the
ECMAScript specification. Hence, it should provide extensive coverage of all
JavaScript language features, and can thus be used to help automatically find
gadgets.
The [tc39](./tc39/) directory contains the materials necessary for using the
test262 suite in a semi-automated pipeline for finding runtime gadgets. More
detail can be found in its `README.md`.
## Related Work
- [Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites](https://www.computer.org/csdl/proceedings-article/sp/2025/223600a016/21B7Q7OZKms)
Toolchain the find prototype pollution gadgets in websites. It cannot find the
gadgets described in this repository because it cannot instrument the relevant
code.
- [Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node. js Template Engines for Malicious Consequences](https://www.computer.org/csdl/proceedings-article/sp/2024/313000a121/1Ub23uAzNcI)
Toolchain to find prototype pollution in the Node.js template engines. It
cannot find the gadgets described in this repository because it cannot
statically analyze built-in functionality.
- [GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes](https://www.usenix.org/conference/usenixsecurity24/presentation/cornelissen)
Toolchain to find prototype pollution gadgets in the Node.js runtime. It
cannot find the gadgets described in this repository because they're not
covered by the binding code.
- [Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js](https://www.usenix.org/conference/usenixsecurity23/presentation/shcherbakov)
Toolchain to find prototype pollution and gadgets in libraries and the Node.js
runtime. It cannot find the gadgets described in this repository because it
cannot statically analyze built-in functionality.
[fixed spec reference]: ./spec-reference.html
[spec]: https://tc39.es/ecma262 "ECMAScript Language Specification"
[tc39/test262]: https://github.com/tc39/test262
[well-known symbol]: https://tc39.es/ecma262/#sec-well-known-symbols "ECMAScript Well-Known Symbols"