Prototype Pollution
Where to find?
- Javascript driven frameworks (Express..)
PHP
PHP internally uses parse_str() to parse parameters so it sees the char “[” & “_” as the same. PHP by default will use the last param as valid. In cases PHP is running on backend but front end validates the param, we can smuggle fake params to php
example.com?account_id=gust&account[id=admin
# Backend would execute guest and frontend admin