1 - Client-side prototype pollution via browser APIs

Usando DOM invader :
Client-side prototype pollution vulnerabilities | Web Security Academy
Testing for client-side prototype pollution - PortSwigger

Object.propotype

let myObject = {};
console.log(myObject.testproperty); // Output: 'DOM_INVADER_PP_POC'

Manual :

https://0a9e0053041c0868807d0dd200f500d2.web-security-academy.net/?__proto__[foo]=bar