the objects created in the application through prototype chain. • If Object.prototype is tampered by the malicious user somehow then all the objects in the applications will have access to the tampered property.
sites which has vulnerable location parsing either via query value or hash value in the URL. - Advantage: - Scalable - Disadvantage: - Only finds vulnerable location parsing - We can’t scan Authenticated Pages
a piece of code in the application which can be triggered via prototype pollution and can be used to upgrade prototype pollution to XSS. - Hard and Interesting part after detection. - Need to find the gadget most of the time. - If you are lucky, pollute.js and untrusted-types can quickly find one. - Idea: I think it can be automated with CodeQL