Bypass proto string match defense

Some applications protect against prototype pollution by matching the string "__proto__". We can bypass that.

Created by: vitorfhc

Created on: Thursday, August 29, 2024 at 1:03:13 AM

Updated on: Thursday, April 10, 2025 at 2:10:54 PM

Vector type: JS

Vector charset: UTF-8

Template used:

s = "$[i]";
if (typeof s["$[chr]__proto__"] != "undefined") {
    log(fromCodePoint($[i]));
}

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

s = "0";
if (typeof s["__proto__"] != "undefined") {
    alert(fromCodePoint(0));
}

Chrome 128.0.0.0 desktop macOS 10.15.7

Updated

Thu Aug 29 2024

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending