Bypass proto string match defense

Some applications protect against prototype pollution by matching the string "__proto__". We can bypass that.

Created by: vitorfhc

Created on: Thursday, August 29, 2024 at 1:03:13 AM

Updated on: Tuesday, May 27, 2025 at 5:50:43 PM

Category: Browser Quirks

Vector visibility: Public

Vector type: JS

Vector charset: UTF-8

Template used:

s = "$[i]";0x0D
if (typeof s["$[chr]__proto__"] != "undefined") {0x0D
    log(fromCodePoint($[i]));0x0D
}

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

s = "0";0x0D
if (typeof s["0x00__proto__"] != "undefined") {0x0D
    alert(fromCodePoint(0));0x0D
}

Chrome 128.0.0.0 desktop macOS 10.15.7

Updated

Thu Aug 29 2024

Found 1 result

Show differences only?

Filter out alphanumeric

Sort ascending