Understanding Prototype Pollution

Gupta Bless
4 min readNov 5, 2023

JavaScript is widely used for client side validation but nowadays also used to build servers or some backend applications. Due to which there is more probability of execution of server side pollution and enables more threats surfaces to exploit the JavaScript at runtime. Prototype pollution is basically an injection attack that targets the runtime JavaScript. As we all know JavaScript is one of the object-oriented programming languages that support the inheritance functionality. So whenever in JavaScript we try to access any object it checks the object first and then later property exists for it. So if property exists it will return the same otherwise it will start looking for the same property in its prototype. This process continues until property is found when the object does not have a prototype associated with it.

Learning More about Prototype Pollution


Let us try to understand with an example, where A is the object and B is the property.

Const A = {B = “bless”}

A.B // “bless”

A.C // undefined

//declaration of prototypes