Bypasses for proto string match

If the application matches the "__proto__" string for blocking the request, can we bypass this?

Created byvitorfhc

Created Aug 29, 2024

Updated May 27, 2025

Detecting browser...

CategoryXSS Execution

VisibilityPublic

TypeJS

CharsetUTF-8

Code used before fuzz:

function insertPayload(original, payload) {0x0D
    let result = [];0x0D
    for (let i = 0; i <= original.length; i++) {0x0D
        let newString = original.slice(0, i) + payload + original.slice(i);0x0D
        result.push(newString);0x0D
    }0x0D
    return result;0x0D
}

Template used:

s = "abc";0x0D
keys = insertPayload("__proto__", fromCodePoint($[i]))0x0D
0x0D
for(i = 0; i < keys.length; i++) {0x0D
    if (typeof s[keys[i]] != "undefined") {0x0D
        log(keys[i]);0x0D
        break;0x0D
    }0x0D
}

Bypasses for proto string match

If the application matches the "__proto__" string for blocking the request, can we bypass this?

Created byvitorfhc

Created Aug 29, 2024

Updated May 27, 2025

Detecting browser...

CategoryXSS Execution

VisibilityPublic

TypeJS

CharsetUTF-8

Code used before fuzz:

function insertPayload(original, payload) {0x0D
    let result = [];0x0D
    for (let i = 0; i <= original.length; i++) {0x0D
        let newString = original.slice(0, i) + payload + original.slice(i);0x0D
        result.push(newString);0x0D
    }0x0D
    return result;0x0D
}

Template used:

s = "abc";0x0D
keys = insertPayload("__proto__", fromCodePoint($[i]))0x0D
0x0D
for(i = 0; i < keys.length; i++) {0x0D
    if (typeof s[keys[i]] != "undefined") {0x0D
        log(keys[i]);0x0D
        break;0x0D
    }0x0D
}

Bypasses for proto string match

Fuzz results

Bypasses for proto string match

Fuzz results

Distributed Fuzzing

Bypasses for __proto__ string match

Fuzz results

Bypasses for __proto__ string match

Fuzz results

Bypasses for proto string match

Bypasses for proto string match