Prototype Pollution Exploits

Intro

This repository is a collection of exploits for Prototype Pollution vulnerability. If you're not familiar with the Prototype Pollution vulnerability, please have a look at another one of my repositories https://github.com/Kirill89/prototype-pollution-explained.

The goal of this project is not to collect every possible Prototype Pollution exploit, rather collect exploits for popular packages and in all possible variations – build a dataset for future Prototype Pollution research.

Structure

Exploits are stored in separate JS files, e.g. <package_name>/<method_name>/<payload_type>.js.

Additionally, each package folder has an MD file with exploits and list of vulnerable versions.

Exploits

• Utility libraries
  • lodash
  • set-value
  • dot-prop
  • merge
  • deepmerge
  • merge-deep
  • object-path
  • extend
  • just-safe-set
  • dset
• Parsers
  • yargs-parser
  • minimist
  • ini
  • open-graph
• Databases
  • nedb
• Server
  • express-fileupload

Contributions

Feel free to open pull requests and add more exploits.