Prototype pollution (not to be confused with Parameter pollution)is a little-known bug. Unlike SQL Injection or XSS, Prototype pollution is not well documented. In this blog let’s understand how to exploit this bug in the wild.

Image Credits: Portswigger

What is a prototype?

In JavaScript the concepts of class and function are interrelated. The function itself acts…

In PHP “==” is used to compare values of two variables, but like PHP the “==” comparison is also weird. When comparing a string and an integer using “==”, PHP will try to convert the string to an integer and then do the comparison. …

You should die is a web challenge with 60 points,


PwnQL 1 and 2 are web challenges with points 50 and 75 respectively,


Wild Goose Hunt is a web-based challenge with the difficulty of 2 stars,

CAAS is a web-based challenge with a difficulty of two stars,

MiniSTRyplace is a web-based challenge with a difficulty of one star,

Let’s start by reading the source code from the folder provided,

RCE allows an attacker to execute code on a vulnerable machine and the CVSS severity level of RCE is critical (well what more do you need than that?)

Image Credits: Google

Note: Check out this blog for more PHP Pwning and to learn why PHP is targeted.


Similar to the system() function in…

Challenges: Sessions, Dababy web


I used to think if a device is not exposed to the public internet, it is safe, because bad actors cannot access them as it has NAT (Network Address Translation) and a firewall in front of the device. Well, let us uncover the truth.

Note: A bit about me, I…

Mudhalai Mr

<>AKA Gowtham Student at SASTRA Deemed university, Core team member DSC SASTRA </>

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store