https://github.com/joseph-martre/prototype-pollution-interactive-demo

Interactive demo of a prototype pollution → XSS exploit in JavaScript
https://github.com/joseph-martre/prototype-pollution-interactive-demo

client-side cybersecurity demo education exploit frontend-security html-sanitization infosec interactive-demo javascript prototype-pollution security vulnerability web-security xss

Last synced: about 2 months ago
JSON representation

Interactive demo of a prototype pollution → XSS exploit in JavaScript

• Host: GitHub
• URL: https://github.com/joseph-martre/prototype-pollution-interactive-demo
• Owner: Joseph-Martre
• License: isc
• Created: 2025-04-06T21:18:33.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-04-06T21:50:51.000Z (about 1 year ago)
• Last Synced: 2025-04-09T22:14:17.451Z (about 1 year ago)
• Topics: client-side, cybersecurity, demo, education, exploit, frontend-security, html-sanitization, infosec, interactive-demo, javascript, prototype-pollution, security, vulnerability, web-security, xss
• Language: HTML
• Homepage: https://prototype-pollution-interactive-demo.netlify.app/
• Size: 142 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# 🧪 Prototype Pollution XSS Demo

This project is an **interactive demonstration** of a client-side **Prototype Pollution** vulnerability, resulting in a bypass of a sanitized HTML allowlist and triggering **Cross-Site Scripting (XSS)**.

🔗 **Live Demo**: https://prototype-pollution-interactive-demo.netlify.app/  

📜 Licensed under [ISC](./LICENSE)

---

## 🚨 What It Shows

Prototype pollution is a vulnerability unique to JavaScript that allows attackers to tamper with the default object prototype. This can lead to unexpected behavior and security flaws—such as:

- Bypassing \`Object.freeze\`-based allowlists  

- Triggering arbitrary script execution (\`XSS\`)  

- Causing application crashes (DoS)  

This demo walks through:

- The vulnerability basics  

- Code examples of the pollution exploit  

- Real-time, fake chat messages simulating an XSS attack  

- HTML sanitization flaws stemming from polluted prototypes  

---

## 💡 Key Features

- Fully interactive and intentionally vulnerable  

- Highlighted code snippets using [highlight.js](https://highlightjs.org/)  

- Realistic message board with tag-based HTML validation  

- Custom \`TAG_ALLOWLIST\` that gets bypassed via pollution  

- Modal dialog warning for unsafe markup  

---

## 🧱 Tech Stack

- HTML / CSS / JS (Vanilla)  

- Modern, responsive layout  

---

## ⚠️ Disclaimer

This project is **intentionally vulnerable** and is for **educational purposes only**.  

Do not reuse this code in production environments.

---

## 🧠 Learn More

- https://portswigger.net/web-security/prototype-pollution  

- https://learn.snyk.io/lesson/prototype-pollution/?ecosystem=javascript  

- https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/  

---

Built with ❤️ to help devs recognize sneaky JS security pitfalls.