CtrlK

Pentest Notes / Exploitation / Web Exploitation

MERN

Exploiting MERN

Prototype Pollution

• Every JS object inherits from Object.prototype
• A vulnerable merge() function with no key filtering allows writing to Object.prototype
• Sending {"proto": {"isAdmin": true}} as POST data causes the merge to recurse into Object.prototype and set .isAdmin = true process-wide
• Any object in Node.js that checks .isAdmin will now resolve true via the prototype chain — even with no own property set
Bypass tip: If proto is filtered, try:
{"constructor": {"prototype": {"isAdmin": true}}}

Why It Works

The vulnerable merge iterates source keys without sanitising proto. When it hits proto, target["proto"] is a reference to Object.prototype, not a new key — so it writes directly onto the global prototype.
The admin check currentUser.isAdmin finds no own property → walks chain → hits polluted Object.prototype.isAdmin = true → grants access.