Want to run this Docker container locally?

docker run -p 9066:3000 -d --restart always --name prototype-pollution joshbeck2024/ctf-prototype-pollution

Challenge Overview

Goal: Access the "Prototype Lab" (admin area) to retrieve the flag.

Vulnerabilities Explained

Click Here for the Server Source

1. SQL Injection (The Password Bypass)

The application uses an unsafe SQL query:

constquery=`SELECT id FROM users WHERE username = '${username}' AND password = '${password}'`;

Why SELECT 1 as id works: Normally, the query returns no rows if the password is wrong. By injecting ' UNION SELECT 1 as id;-- into the password field, the query becomes:

SELECT id FROM users WHERE username='...'AND password=''UNION SELECT 1 as id;--'

1. The first part (before UNION) returns nothing (false).
2. The UNION operator combines results.
3. SELECT 1 as id creates a virtual row containing id: 1.
4. The - comments out the rest of the original query. The application sees a result { id: 1 } and logs you in!

2. Prototype Pollution / Logic Bug (The Admin Bypass)

After logging in, the code checks if you are an admin:

if (activeAdmins[username]) {
// grant flag
}

activeAdmins is a simple object {}. In JavaScript, even empty objects inherit properties from Object.prototype. One such property is the function toString.