Prototype pollution exploits unsafe object merging or property assignment in JavaScript to inject properties onto Object.prototype using keys like __proto__ or constructor.prototype. Once polluted, the property appears on nearly every object in the app, which can corrupt logic, bypass checks, or escalate to XSS or RCE.
Send a payload such as {"__proto__": {"isAdmin": true}} into a vulnerable merge or JSON.parse-then-assign flow, or use the dotted constructor.prototype.x form when __proto__ is filtered. The generator builds both JSON-body and query-string variants like ?__proto__[isAdmin]=true.
Find a gadget that reads a polluted property as code or markup, for example polluting a template option, a child_process spawn argument, or an innerHTML default in a sink. Server-side Node gadgets can reach command execution, while client-side gadgets often land DOM XSS through a sanitizer config.
Yes. It is free and fully client-side, so the __proto__ and constructor payloads it generates are never sent to any server. Use it only on applications you are authorized to assess.