yjaaidi · October 2, 2019 13:24 · Oct 2, 2019
diff --git a/prototype-pollution.js b/prototype-pollution.js
@@ -0,0 +1,23 @@
+const u1 = {firstName: 'Foo'}
+const u2 = {firstName: 'John'}
+
+const body = JSON.parse('{"__proto__": {"admin": true}}')
+
+function vulnerableExtend(dst, src) {
+  Object.entries(src)
+    .forEach(([k, v]) => {
+      if (k in dst) {
+        vulnerableExtend(dst[k], src[k]);
+      } else {
+        dst[k] = src[k];
+      }
+    })
+}
+
+console.log(u1.admin)
+console.log(u2.admin)
+
+vulnerableExtend(u1, body);
+
+console.log(u1.admin)
+console.log(u2.admin)
No results found