Prototype Pollution / Path-Copy Gadget from Query String

A custom "copy value from a.b.c into x.y.z" parser effectively exposes arbitrary property writes when parameter names encode object paths. Browser objects are graph-shaped and full of useful reachable properties: ownerDocument, defaultView, head, children, and prototype objects.

Why It Works

• Splitting param names on . and walking object paths without checking prototype keys lets you write anywhere reachable from the root object.

Vulnerable Pattern

• Frontend code splitting param names on . and walking object paths without checking for prototype keys or unsafe objects.
• Helper functions that resolve strings like ownerDocument.defaultView.alert to real references.

Exploit Flow

1. Map the reachable graph from the initial root object.
2. Land harmless values to confirm which destinations are writable and which sources are readable.
3. Target a callable sink or a future dereference point used by the page's own logic.

Variations

• Direct prototype pollution, property clobbering on live DOM objects, or aliases that later code treats as trusted functions.

Common Blockers

• Frozen objects, property-write failures, parser allowlists, or code stripping __proto__, constructor, prototype.

PoC Sketch

?ownerDocument.defaultView.blacklist.includes=ownerDocument.defaultView.eval&x=alert(1)

Good Situations To Use It

• A param-driven path-copy/merge helper exists in the bundle.
• The graph reaches a callable or a security-relevant property.
• Prototype keys aren't explicitly stripped.

Sources

• fcsc2026/web/shrimp_saver
• fcsc2026/web/shrimp_saver_revenge