pwneglyph logo

Note

web javascript prototype information-disclosure dynamic-routes nodejs

Probe routes that index objects by path key for inherited properties to reveal structure and prototype-pollution reachability.

proto / Inherited Property Exposure through Dynamic Routes

If a route serializes arbitrary object properties selected from the path, inherited properties may leak internal structure and reveal prototype-pollution reachability.

Why It Matters

  • Returning inherited keys hints at object shape and confirms whether pollution gadgets are reachable.

Vulnerable Pattern

  • REST-ish routes like /items/<key> that index directly into objects without hasOwnProperty checks.

Exploit Flow

  1. Request __proto__, constructor, and nearby meta-properties first.
  2. Inspect what shape is returned.

Common Blockers

  • JSON serialization may drop functions or complex objects, giving only partial signal.

PoC Sketch

GET /items/__proto__
GET /cart/__proto__
# inspect whether inherited keys are serialized back

Good Situations To Use It

  • A route indexes objects by a path-supplied key.
  • No hasOwnProperty guard exists.
  • You're scoping prototype-pollution reachability.

Sources

  • ehaxctf2026/web/modernshop