Configuration Manager

Register, update your profile settings, and try to access the admin panel. The deep merge function used for profile updates has a critical flaw.

Register

Update Profile

Admin Panel

How it works

The /api/profile/update endpoint uses a custom deepMerge() function that recursively merges user input into the user object.

If you send {"__proto__": {"isAdmin": true}} as the update payload, it pollutes Object.prototype, making all objects inherit isAdmin: true.

API endpoints:

POST /api/register — Create account
POST /api/profile/update — Update profile (vulnerable)
GET /api/admin/panel?username=X — Admin panel (checks role/isAdmin)

Submit Flag