Moanshop.7z 〈Web〉

An attacker sends a JSON payload containing the __proto__ key. This allows them to inject properties into the global object prototype, effectively changing the behavior of the entire application. 3. From Pollution to Remote Code Execution (RCE)

Injecting an isAdmin: true property into the prototype so that every user session is treated as an administrator. moanshop.7z

The application uses a vulnerable library (like lodash or merge-deep ) to combine user input into a configuration object. An attacker sends a JSON payload containing the

The .7z file contains the application's backend logic, often written in or Python (Flask/Django) . By analyzing the code, researchers look for: From Pollution to Remote Code Execution (RCE) Injecting

The file is associated with a widely known and high-stakes Capture The Flag (CTF) challenge, typically categorized under Web Exploitation or Reverse Engineering .

Crafts a malicious POST request to pollute the server’s environment.