Prototype Pollution
JavaScript prototype pollution attacks
Key Concepts
Security Mindset
Think like an attacker - what can go wrong, what can be abused?
Defense in Depth
Multiple layers of security controls, no single point of failure.
Least Privilege
Grant minimum permissions needed for functionality.
Trust Boundaries
Identify where data crosses trust levels and validate at each boundary.
Learning Material
What You'll Learn
JavaScript prototype pollution attacks
Think like an attacker - what can go wrong, what can be abused?
Multiple layers of security controls, no single point of failure.
Grant minimum permissions needed for functionality.
Identify where data crosses trust levels and validate at each boundary.
Injection & Client-Side Attacks Research
Purpose: Understanding injection and client-side vulnerability classes
Last Updated: December 28, 2025
Contents
Injection Attacks
- XSS (Cross-Site Scripting) - Reflected, Stored, DOM-based
- SQL Injection - UNION, Blind, Error-based, OOB
- SSRF (Server-Side Request Forgery) - Cloud metadata, internal services
- XXE (XML External Entity) - File read, blind exfiltration
- SSTI (Server-Side Template Injection) - Jinja2, Twig, Freemarker RCE
Case Studies
- Case Studies Index
Key Takeaways
XSS (CWE-79)
- Most common web vulnerability (CWE #1)
- DOM-based often missed by scanners
- CSP bypass techniques critical for modern apps
- Impact: cookie theft, session hijacking, phishing
SQL Injection (CWE-89)
- Highest impact for data breach
- Blind techniques (boolean/time) when no output
- sqlmap for automation, Burp for manual
- Always test:
' OR 1=1--,' AND SLEEP(5)--
SSRF (CWE-918)
- Cloud focus: 169.254.169.254 metadata endpoints
- Bypass: IP obfuscation, DNS rebinding, open redirects
- Blind SSRF via Collaborator/webhook.site
- Combine with XXE for internal reconnaissance
XXE (CWE-611)
- Modern XML parsers often secure by default
- Look for: SOAP, file upload (SVG, DOCX), content-type switching
- OOB exfiltration when no direct output
- Local DTD exploitation for stricter parsers
SSTI
- Highest payout potential (RCE)
- Detection:
${{<%**%'"}}%\fuzzing - Engine identification via error messages
- Jinja2/Twig most common in bug bounty
H1 Agent Mapping
| Vulnerability | Primary Agent | Pipeline |
|---|---|---|
| XSS | h1-hunter-agent | Manual + Burp |
| SQLi | h1-hunter-agent | sqlmap automation |
| SSRF | h1-hunter-agent | Collaborator-based |
| XXE | h1-hunter-agent | XML fuzzing |
| SSTI | h1-hunter-agent | Template fuzzing |
CWE Rankings (2024)
| Rank | CWE | Vulnerability | Score |
|---|---|---|---|
| 1 | CWE-79 | XSS | 56.92 |
| 3 | CWE-89 | SQL Injection | 35.88 |
| 7 | CWE-78 | OS Command Injection | 11.30 |
Bug Bounty Priority
| Vulnerability | Typical Payout | Difficulty |
|---|---|---|
| Stored XSS | $500-$5K | Medium |
| SQLi with data access | $3K-$20K | Medium |
| SSRF to internal services | $5K-$20K | Medium |
| XXE with file read | $2K-$10K | Medium |
| RCE via SSTI | $10K-$50K | Hard |
Navigation
- Previous: [05_linux_kernel**
- Next: 07_blue_team
- Main: Knowledge Base README
Practical Examples
Try these hands-on labs to practice what you've learned:
Test Questions
What is HTTP request smuggling?
What causes request smuggling vulnerabilities?
What is prototype pollution?
Test Your Knowledge
Review these flashcards to reinforce your understanding
What is HTTP request smuggling?
Tap to reveal
What causes request smuggling vulnerabilities?
Tap to reveal
What is prototype pollution?
Tap to reveal