Bypass proto string match defense

Some applications protect against prototype pollution by matching the string "__proto__". We can bypass that.

Novice Fuzzer

Created byvitorfhc

Created Aug 29, 2024

Updated May 27, 2025

Detecting browser...

CategoryBrowser Quirks

VisibilityPublic

TypeJS

CharsetUTF-8

Template used:

s = "$[i]";0x0D
if (typeof s["$[chr]__proto__"] != "undefined") {0x0D
    log(fromCodePoint($[i]));0x0D
}

Sample payloads

s = "0";0x0D
if (typeof s["0x00__proto__"] != "undefined") {0x0D
    alert(fromCodePoint(0));0x0D
}