Moanshop.7z

An attacker sends a JSON payload containing the __proto__ key. This allows them to inject properties into the global object prototype, effectively changing the behavior of the entire application. 3. From Pollution to Remote Code Execution (RCE)

Triggers a system command (e.g., cat /flag.txt ) to read the secret flag. moanshop.7z

The .7z file contains the application's backend logic, often written in or Python (Flask/Django) . By analyzing the code, researchers look for: An attacker sends a JSON payload containing the

Leftover API keys or developer credentials. moanshop.7z

Injecting an isAdmin: true property into the prototype so that every user session is treated as an administrator.

Once the attacker can "pollute" the global object, they target specific application behaviors to gain control: