Read as

Last updated: May 1, 2026

JS prototype model, pollution sources, attack vectors (auth bypass, RCE chains), Object.create(null) defense.

Prototype pollution is a JavaScript-specific vulnerability where attacker-controlled input modifies the prototype of base objects (Object, Array). Once polluted, every object inherits attacker-controlled properties — leading to RCE in some Node.js apps, XSS in some browsers, authentication bypass in some apps. This module covers the mechanism, detection, and defenses.

JavaScript prototype basics

Every object in JavaScript has a prototype. Property lookups walk up the chain: object → its prototype → its prototype’s prototype → … → Object.prototype → null.

const a = {};
console.log(a.toString);     // function (inherited from Object.prototype)
Object.prototype.foo = "polluted";
console.log({}.foo);         // "polluted" — every new object has it

If attacker can write to Object.prototype, every object in the application gets new properties, retroactively.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants

Module 17 · Prototype Pollution

JavaScript prototype basics

Custom team training + practitioner advisory

Other modules in this track