nuclei-templates/headless/prototype-pollution-check.yaml

91 lines
2.1 KiB
YAML
Raw Permalink Normal View History

2021-03-10 08:33:40 +00:00
id: prototype-pollution-check
info:
name: Prototype Pollution Check
2021-04-06 06:46:11 +00:00
author: pdteam
2021-03-10 08:33:40 +00:00
severity: medium
metadata:
max-request: 4
2021-03-10 08:33:40 +00:00
tags: headless
2024-01-04 06:27:45 +00:00
2021-03-10 08:33:40 +00:00
headless:
- steps:
2023-01-09 16:13:13 +00:00
- args:
url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted"
action: navigate
- action: waitload
2021-03-10 08:33:40 +00:00
- action: script
2023-01-09 16:13:13 +00:00
name: extract
2021-03-10 08:33:40 +00:00
args:
code: |
() => {
2023-01-09 16:13:13 +00:00
return window.vulnerableprop
}
matchers:
- type: word
part: extract
words:
- "polluted"
2023-10-14 11:27:55 +00:00
2023-01-09 16:13:13 +00:00
- steps:
- args:
url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted"
action: navigate
2021-03-10 08:33:40 +00:00
2023-01-09 16:13:13 +00:00
- action: waitload
2021-03-10 08:33:40 +00:00
2023-01-09 16:13:13 +00:00
- action: script
name: extract2
args:
code: |
() => {
return window.vulnerableprop
}
matchers:
- type: word
part: extract2
words:
- "polluted"
2021-03-10 08:33:40 +00:00
2023-01-09 16:13:13 +00:00
- steps:
2021-03-10 08:33:40 +00:00
- args:
2023-01-09 16:13:13 +00:00
url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted"
2021-03-10 08:33:40 +00:00
action: navigate
2023-01-09 16:13:13 +00:00
2021-03-10 08:33:40 +00:00
- action: waitload
2021-03-10 08:33:40 +00:00
- action: script
2023-01-09 16:13:13 +00:00
name: extract3
2021-03-10 08:33:40 +00:00
args:
code: |
2023-01-09 16:13:13 +00:00
() => {
return window.vulnerableprop
}
2021-03-10 08:33:40 +00:00
matchers:
- type: word
2023-01-09 16:13:13 +00:00
part: extract3
2021-03-10 08:33:40 +00:00
words:
2023-01-09 16:13:13 +00:00
- "polluted"
2023-10-14 11:27:55 +00:00
2023-01-09 16:13:13 +00:00
- steps:
- args:
url: "{{BaseURL}}?__proto__.vulnerableprop=polluted"
action: navigate
2023-01-09 16:13:13 +00:00
- action: waitload
- action: script
name: extract4
args:
code: |
() => {
return window.vulnerableprop
}
matchers:
- type: word
part: extract4
words:
- "polluted"
# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950