2021-03-10 08:33:40 +00:00
|
|
|
id: prototype-pollution-check
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: Prototype Pollution Check
|
2021-04-06 06:46:11 +00:00
|
|
|
author: pdteam
|
2021-03-10 08:33:40 +00:00
|
|
|
severity: medium
|
2023-10-31 10:54:20 +00:00
|
|
|
metadata:
|
2024-10-08 08:52:54 +00:00
|
|
|
max-request: 8
|
|
|
|
|
verified: true
|
2021-03-10 08:33:40 +00:00
|
|
|
tags: headless
|
2024-01-04 06:27:45 +00:00
|
|
|
|
2021-03-10 08:33:40 +00:00
|
|
|
headless:
|
|
|
|
|
- steps:
|
2023-01-09 16:13:13 +00:00
|
|
|
- args:
|
|
|
|
|
url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted"
|
|
|
|
|
action: navigate
|
|
|
|
|
|
|
|
|
|
- action: waitload
|
|
|
|
|
|
2021-03-10 08:33:40 +00:00
|
|
|
- action: script
|
2024-10-08 08:52:54 +00:00
|
|
|
name: extract1
|
2021-03-10 08:33:40 +00:00
|
|
|
args:
|
|
|
|
|
code: |
|
2022-07-28 11:21:08 +00:00
|
|
|
() => {
|
2023-01-09 16:13:13 +00:00
|
|
|
return window.vulnerableprop
|
|
|
|
|
}
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
2024-10-08 08:52:54 +00:00
|
|
|
part: extract1
|
2023-01-09 16:13:13 +00:00
|
|
|
words:
|
|
|
|
|
- "polluted"
|
2023-10-14 11:27:55 +00:00
|
|
|
|
2023-01-09 16:13:13 +00:00
|
|
|
- steps:
|
|
|
|
|
- args:
|
|
|
|
|
url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted"
|
|
|
|
|
action: navigate
|
2021-03-10 08:33:40 +00:00
|
|
|
|
2023-01-09 16:13:13 +00:00
|
|
|
- action: waitload
|
2021-03-10 08:33:40 +00:00
|
|
|
|
2023-01-09 16:13:13 +00:00
|
|
|
- action: script
|
|
|
|
|
name: extract2
|
|
|
|
|
args:
|
|
|
|
|
code: |
|
|
|
|
|
() => {
|
|
|
|
|
return window.vulnerableprop
|
|
|
|
|
}
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: extract2
|
|
|
|
|
words:
|
|
|
|
|
- "polluted"
|
2021-03-10 08:33:40 +00:00
|
|
|
|
2023-01-09 16:13:13 +00:00
|
|
|
- steps:
|
2021-03-10 08:33:40 +00:00
|
|
|
- args:
|
2023-01-09 16:13:13 +00:00
|
|
|
url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted"
|
2021-03-10 08:33:40 +00:00
|
|
|
action: navigate
|
2023-01-09 16:13:13 +00:00
|
|
|
|
2021-03-10 08:33:40 +00:00
|
|
|
- action: waitload
|
2022-08-29 09:10:50 +00:00
|
|
|
|
2021-03-10 08:33:40 +00:00
|
|
|
- action: script
|
2023-01-09 16:13:13 +00:00
|
|
|
name: extract3
|
2021-03-10 08:33:40 +00:00
|
|
|
args:
|
2022-08-29 09:10:50 +00:00
|
|
|
code: |
|
2023-01-09 16:13:13 +00:00
|
|
|
() => {
|
|
|
|
|
return window.vulnerableprop
|
|
|
|
|
}
|
2021-03-10 08:33:40 +00:00
|
|
|
matchers:
|
|
|
|
|
- type: word
|
2023-01-09 16:13:13 +00:00
|
|
|
part: extract3
|
2021-03-10 08:33:40 +00:00
|
|
|
words:
|
2023-01-09 16:13:13 +00:00
|
|
|
- "polluted"
|
2023-10-14 11:27:55 +00:00
|
|
|
|
2023-01-09 16:13:13 +00:00
|
|
|
- steps:
|
|
|
|
|
- args:
|
|
|
|
|
url: "{{BaseURL}}?__proto__.vulnerableprop=polluted"
|
|
|
|
|
action: navigate
|
2022-08-29 09:10:50 +00:00
|
|
|
|
2023-01-09 16:13:13 +00:00
|
|
|
- action: waitload
|
|
|
|
|
|
|
|
|
|
- action: script
|
|
|
|
|
name: extract4
|
|
|
|
|
args:
|
|
|
|
|
code: |
|
|
|
|
|
() => {
|
|
|
|
|
return window.vulnerableprop
|
|
|
|
|
}
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: extract4
|
|
|
|
|
words:
|
|
|
|
|
- "polluted"
|
2024-08-22 20:33:45 +00:00
|
|
|
|
|
|
|
|
- steps:
|
|
|
|
|
- args:
|
|
|
|
|
url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted"
|
|
|
|
|
action: navigate
|
|
|
|
|
|
|
|
|
|
- action: waitload
|
|
|
|
|
|
|
|
|
|
- action: script
|
|
|
|
|
name: extract5
|
|
|
|
|
args:
|
|
|
|
|
code: |
|
|
|
|
|
() => {
|
|
|
|
|
return window.vulnerableprop
|
|
|
|
|
}
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: extract5
|
|
|
|
|
words:
|
|
|
|
|
- "polluted"
|
|
|
|
|
|
|
|
|
|
- steps:
|
|
|
|
|
- args:
|
|
|
|
|
url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted"
|
|
|
|
|
action: navigate
|
|
|
|
|
|
|
|
|
|
- action: waitload
|
|
|
|
|
|
|
|
|
|
- action: script
|
|
|
|
|
name: extract6
|
|
|
|
|
args:
|
|
|
|
|
code: |
|
|
|
|
|
() => {
|
|
|
|
|
return window.vulnerableprop
|
|
|
|
|
}
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: extract6
|
|
|
|
|
words:
|
|
|
|
|
- "polluted"
|
|
|
|
|
|
|
|
|
|
- steps:
|
|
|
|
|
- args:
|
|
|
|
|
url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted"
|
|
|
|
|
action: navigate
|
|
|
|
|
|
|
|
|
|
- action: waitload
|
|
|
|
|
|
|
|
|
|
- action: script
|
|
|
|
|
name: extract7
|
|
|
|
|
args:
|
|
|
|
|
code: |
|
|
|
|
|
() => {
|
|
|
|
|
return window.vulnerableprop
|
|
|
|
|
}
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: extract7
|
|
|
|
|
words:
|
|
|
|
|
- "polluted"
|
|
|
|
|
|
|
|
|
|
- steps:
|
|
|
|
|
- args:
|
|
|
|
|
url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted"
|
|
|
|
|
action: navigate
|
|
|
|
|
|
|
|
|
|
- action: waitload
|
|
|
|
|
|
|
|
|
|
- action: script
|
|
|
|
|
name: extract8
|
|
|
|
|
args:
|
|
|
|
|
code: |
|
|
|
|
|
() => {
|
|
|
|
|
return window.vulnerableprop
|
|
|
|
|
}
|
2024-10-08 08:52:54 +00:00
|
|
|
|
2024-08-22 20:33:45 +00:00
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: extract8
|
|
|
|
|
words:
|
|
|
|
|
- "polluted"
|
2024-10-15 08:04:39 +00:00
|
|
|
# digest: 490a004630440220332d2eb43e6ee2b3b48ca3bd7b953693814ce81ca3c34fa2036bcbfc93482d6a02204efa7ecda7b863d46e7a42d80500a115097ba317b63547ed5c07a4124338dafc:922c64590222798bb761d5b6d8e72950
|
