Shazzer logo
Login

Bypass __proto__ string match defense

Chrome logo 1
Firefox logo 1
Edge logo 1

Some applications protect against prototype pollution by matching the string "__proto__". We can bypass that.

vitorfhc
Created byvitorfhc
Created Aug 29, 2024
Updated May 27, 2025

Tweet
Detecting browser...
CategoryBrowser Quirks
VisibilityPublic
TypeJS
CharsetUTF-8
Template used:
s = "$[i]";0x0D
if (typeof s["$[chr]__proto__"] != "undefined") {0x0D
    log(fromCodePoint($[i]));0x0D
}

Sample payloads

s = "0";0x0D
if (typeof s["0x00__proto__"] != "undefined") {0x0D
    alert(fromCodePoint(0));0x0D
}

Fuzz results

Chrome logo
Chrome 145.0.0.0 desktop Windows NT 10.0
Updated16 Feb 2026
Found 1 result
Loading...
Chrome logo
Chrome 128.0.0.0 desktop macOS 10.15.7older version
Updated29 Aug 2024
Found 1 result
Loading...
Firefox logo
Firefox 147.0 desktop Linux
Updated1 Feb 2026
Found 1 result
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated30 Jan 2026
Found 1 result
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.