Bypasses for proto string match

If the application matches the "__proto__" string for blocking the request, can we bypass this?

Created byvitorfhc

Created Aug 29, 2024

Updated May 27, 2025

Detecting browser...

CategoryXSS Execution

VisibilityPublic

TypeJS

CharsetUTF-8

Code used before fuzz:

function insertPayload(original, payload) {0x0D
    let result = [];0x0D
    for (let i = 0; i <= original.length; i++) {0x0D
        let newString = original.slice(0, i) + payload + original.slice(i);0x0D
        result.push(newString);0x0D
    }0x0D
    return result;0x0D
}

Template used:

s = "abc";0x0D
keys = insertPayload("__proto__", fromCodePoint($[i]))0x0D
0x0D
for(i = 0; i < keys.length; i++) {0x0D
    if (typeof s[keys[i]] != "undefined") {0x0D
        log(keys[i]);0x0D
        break;0x0D
    }0x0D
}

Sample payloads

s = "abc";0x0D
keys = insertPayload("__proto__", fromCodePoint(0))0x0D
0x0D
for(i = 0; i < keys.length; i++) {0x0D
    if (typeof s[keys[i]] != "undefined") {0x0D
        alert(keys[i]);0x0D
        break;0x0D
    }0x0D
}

Fuzz results

Chrome 144.0.0.0 desktop Windows NT 10.0

Updated

Sun Jan 25 2026

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending

Firefox 147.0 desktop Linux

Updated

Sun Feb 01 2026

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending

Microsoft Edge 144.0.0.0 desktop Windows NT 10.0

Updated

Sat Jan 31 2026

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending

Bypasses for __proto__ string match

Sample payloads

Fuzz results

Distributed Fuzzing

Bypasses for proto string match