Bypass proto string match defense

Some applications protect against prototype pollution by matching the string "__proto__". We can bypass that.

Created by: vitorfhc

Created on: Thursday, August 29, 2024 at 1:03:13 AM

Updated on: Friday, September 13, 2024 at 6:16:12 PM

Vector type: JS

Template used:

s = "$[i]";
if (typeof s["$[chr]__proto__"] != "undefined") {
    log(fromCodePoint($[i]));
}

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

s = "0";
if (typeof s["__proto__"] != "undefined") {
    alert(String.fromCodePoint(0));
}

Chrome 128.0.0.0 desktop macOS 10.15.7

Found 1 result

Show differences only?

Data
\