From 321f5ea7ea27c7226ef5ab199d419991bf1fc141 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Mon, 25 Apr 2022 11:14:33 +0000
Subject: [PATCH] GitBook: [#3123] No subject

---
 .../nodejs-proto-prototype-pollution/README.md     | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
index 7d41e84c..8c8e803b 100644
--- a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
+++ b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
@@ -139,6 +139,20 @@ something.constructor.prototype.sayHey = function(){console.log("Hey!")}
 
 After executing that code, **each JS object will be able to execute the function `sayHey`**.
 
+### Array elements pollution
+
+Note that as you can pollute attributes of objects in JS, if you have access to pollute an array you can also **pollute values of the array** accessible **by indexes** (note that you cannot overwrite values, so you need to pollute indexes that are somehow used but not written).
+
+```javascript
+c = [1,2]
+a = []
+a.constructor.prototype[1] = "yolo"
+b = []
+b[0] //undefined
+b[1] //"yolo"
+c[1] // 2 -- not
+```
+
 ## Examples
 
 ### Basic Example