Once the attacker can "pollute" the global object, they target specific application behaviors to gain control:
The application uses a vulnerable library (like lodash or merge-deep ) to combine user input into a configuration object.
In this challenge, participants are presented with a compressed archive ( .7z ) containing the source code for a fictional online storefront called "Moan Shop." The objective is to identify and exploit vulnerabilities within the application to retrieve a hidden "flag"—a specific string of text that proves the system was successfully breached. moanshop.7z
Injecting an isAdmin: true property into the prototype so that every user session is treated as an administrator.
Leftover API keys or developer credentials. Once the attacker can "pollute" the global object,
In many versions of the "Moan Shop" challenge, the vulnerability is .
Identifies a vulnerable merge function in the cart.js or admin.js file. Leftover API keys or developer credentials
Triggers a system command (e.g., cat /flag.txt ) to read the secret flag.
USA 
Canada 
Australia