Skill

prototype-pollution

Detects prototype pollution in JavaScript/TypeScript code by auditing object merge, clone, assign operations and untrusted input handling. Guides impact assessment for CVSS scoring.

Javascript

Typescript

security

npx claudepluginhub byamb4/find-cve-agent

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Audit merge/clone/deep-assign utilities, query string parsers, JSON parsers, config mergers, and any package that recursively sets object properties from untrusted input.

Supporting Assets

references/false-positive-indicators.mdreferences/poc-skeleton.mdreferences/sinks.md

SKILL.md

Similar Skills

prototype-pollution

Detects and fixes prototype pollution (CWE-1321) in JavaScript/TypeScript code using deep merges, lodash merge/set, Object.assign with dynamic keys, or recursive copies on user input.

soundcheck

exploiting-prototype-pollution-in-javascript

5.9k

Detects and exploits prototype pollution in JavaScript/Node.js apps via URL/JSON payloads for XSS, RCE, and auth bypass. For security testing web APIs and client-side code.

3 files

cybersecurity-skills

exploiting-prototype-pollution-in-javascript

Detects and exploits JavaScript prototype pollution in client-side and server-side apps for XSS, RCE, and auth bypass via property injection. Useful for pentesting Node.js APIs, JSON merges, and JS frameworks.

asi

Stats

Stars18

Forks2

Last CommitMar 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Prototype Pollution Detection

When to Use

Audit merge/clone/deep-assign utilities, query string parsers, JSON parsers, config mergers, and any package that recursively sets object properties from untrusted input.

Key insight: Only ~50% acceptance rate. Must demonstrate REAL impact beyond just polluting prototype.

Process

Step 1: Find Object Manipulation Sinks

grep -rn "Object\.assign\|Object\.defineProperty\|Object\.create" .
grep -rn "merge\|extend\|deepMerge\|deepExtend\|deepAssign\|mixin" .
grep -rn "clone\|deepClone\|cloneDeep\|deepCopy" .
grep -rn "set\|setPath\|setValue\|lodash\.set\|_.set" .
grep -rn "\[.*\]\s*=" . --include="*.js"  # Bracket notation assignment

Step 2: Check for Recursive Property Setting

Look for patterns where object keys from user input are used as property paths:

// VULNERABLE: recursive merge without key filtering
function merge(target, source) {
  for (const key in source) {
    if (typeof source[key] === 'object') {
      target[key] = merge(target[key] || {}, source[key]);
    } else {
      target[key] = source[key];
    }
  }
}

Step 3: Check Key Filtering

grep -rn "__proto__\|constructor\|prototype" . | grep -i "filter\|block\|skip\|ignore\|reject"
grep -rn "Object\.create(null)" .  # Null prototype objects are safe
grep -rn "hasOwnProperty\|Object\.keys\|Object\.entries" .

Step 4: Assess Impact

Prototype pollution alone is often not enough. Look for impact:

DoS: Polluted property causes TypeError crash (toString, valueOf)
Property injection: Polluted property affects security logic (isAdmin, role, auth)
Gadget chains: Polluted property reaches dangerous sink (eval, template)
Method clobbering: toString/valueOf overwritten causing crash

Dangerous Keys

Key	Effect	Impact
`__proto__`	Sets properties on Object.prototype	All objects affected
`constructor.prototype`	Same effect via constructor chain	All objects affected
`constructor`	Overwrites constructor reference	Type confusion
`toString`	Overwrites string conversion	TypeError on string operations
`valueOf`	Overwrites value conversion	TypeError on comparisons
`hasOwnProperty`	Overwrites property check	Logic bypass

CVSS Guidance

Proto pollution + RCE gadget chain: CRITICAL 9.8
Proto pollution + auth bypass: HIGH 8.1
Proto pollution + DoS (crash): HIGH 7.5
Proto pollution with no demonstrated impact: MEDIUM 5.3 (often rejected)

References

Sinks -- Object manipulation sinks
False Positive Indicators
PoC Skeleton