nuclei-templates/headless/prototype-pollution-check.yaml

id: prototype-pollution-check

info:
  name: Prototype Pollution Check
  author: pdteam
  severity: medium
  metadata:
    max-request: 4
  tags: headless

headless:
  - steps:
      - args:
          url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract2
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract2
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract3
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract3
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__proto__.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract4
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract4
        words:
          - "polluted"
# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950
Adding headless templates 2021-03-10 08:33:40 +00:00			`id: prototype-pollution-check`

			`info:`
			`name: Prototype Pollution Check`
misc tag updates 2021-04-06 06:46:11 +00:00			`author: pdteam`
Adding headless templates 2021-03-10 08:33:40 +00:00			`severity: medium`
TemplateMan Update [Tue Oct 31 10:54:20 UTC 2023] :robot: 2023-10-31 10:54:20 +00:00			`metadata:`
			`max-request: 4`
Adding headless templates 2021-03-10 08:33:40 +00:00			`tags: headless`
trailspace fix 2024-01-04 06:27:45 +00:00
Adding headless templates 2021-03-10 08:33:40 +00:00			`headless:`
			`- steps:`
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`- args:`
			`url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted"`
			`action: navigate`

			`- action: waitload`

Adding headless templates 2021-03-10 08:33:40 +00:00			`- action: script`
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`name: extract`
Adding headless templates 2021-03-10 08:33:40 +00:00			`args:`
			`code: \|`
Fix code execution in headless templates (#4484) * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 2022-07-28 11:21:08 +00:00			`() => {`
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`return window.vulnerableprop`
			`}`
			`matchers:`
			`- type: word`
			`part: extract`
			`words:`
			`- "polluted"`
templateman update 2023-10-14 11:27:55 +00:00
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`- steps:`
			`- args:`
			`url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted"`
			`action: navigate`
Adding headless templates 2021-03-10 08:33:40 +00:00
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`- action: waitload`
Adding headless templates 2021-03-10 08:33:40 +00:00
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`- action: script`
			`name: extract2`
			`args:`
			`code: \|`
			`() => {`
			`return window.vulnerableprop`
			`}`
			`matchers:`
			`- type: word`
			`part: extract2`
			`words:`
			`- "polluted"`
Adding headless templates 2021-03-10 08:33:40 +00:00
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`- steps:`
Adding headless templates 2021-03-10 08:33:40 +00:00			`- args:`
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted"`
Adding headless templates 2021-03-10 08:33:40 +00:00			`action: navigate`
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00
Adding headless templates 2021-03-10 08:33:40 +00:00			`- action: waitload`
misc fixes to headless template (#5239) 2022-08-29 09:10:50 +00:00
Adding headless templates 2021-03-10 08:33:40 +00:00			`- action: script`
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`name: extract3`
Adding headless templates 2021-03-10 08:33:40 +00:00			`args:`
misc fixes to headless template (#5239) 2022-08-29 09:10:50 +00:00			`code: \|`
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`() => {`
			`return window.vulnerableprop`
			`}`
Adding headless templates 2021-03-10 08:33:40 +00:00			`matchers:`
			`- type: word`
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`part: extract3`
Adding headless templates 2021-03-10 08:33:40 +00:00			`words:`
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`- "polluted"`
templateman update 2023-10-14 11:27:55 +00:00
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`- steps:`
			`- args:`
			`url: "{{BaseURL}}?__proto__.vulnerableprop=polluted"`
			`action: navigate`
misc fixes to headless template (#5239) 2022-08-29 09:10:50 +00:00
Simpler Prototype pollution template 2023-01-09 16:13:13 +00:00			`- action: waitload`

			`- action: script`
			`name: extract4`
			`args:`
			`code: \|`
			`() => {`
			`return window.vulnerableprop`
			`}`
			`matchers:`
			`- type: word`
			`part: extract4`
			`words:`
			`- "polluted"`
Auto Template Signing [Thu Jan 4 06:57:22 UTC 2024] :robot: 2024-01-04 06:57:22 +00:00			`# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950`