Moanshop.7z

An attacker sends a JSON payload containing the __proto__ key. This allows them to inject properties into the global object prototype, effectively changing the behavior of the entire application. 3. From Pollution to Remote Code Execution (RCE)

Injecting an isAdmin: true property into the prototype so that every user session is treated as an administrator. moanshop.7z

Identifies a vulnerable merge function in the cart.js or admin.js file. An attacker sends a JSON payload containing the

In many versions of the "Moan Shop" challenge, the vulnerability is . moanshop.7z

Crafts a malicious POST request to pollute the server’s environment.