Update prototype pollution checks to include matchers for insecure sanitization

Added some steps to check for prototype pollution when there's insecure sanitization. Pulled from Portswigger Web Academy : https://portswigger.net/web-security/prototype-pollution/client-side#bypassing-flawed-key-sanitization
2024-08-22 22:33:45 +02:00 · 2024-08-22 22:33:45 +02:00 · 3d448d0f80
parent 41cfbbc578
commit 3d448d0f80
1 changed files with 82 additions and 1 deletions
--- a/headless/prototype-pollution-check.yaml
+++ b/headless/prototype-pollution-check.yaml
@ -88,4 +88,85 @@ headless:
        part: extract4
        words:
          - "polluted"
-# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950
+
+  - steps:
+      - args:
+          url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: extract5
+        args:
+          code: |
+            () => {
+             return window.vulnerableprop
+            }
+    matchers:
+      - type: word
+        part: extract5
+        words:
+          - "polluted"
+
+  - steps:
+      - args:
+          url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: extract6
+        args:
+          code: |
+            () => {
+             return window.vulnerableprop
+            }
+    matchers:
+      - type: word
+        part: extract6
+        words:
+          - "polluted"
+
+  - steps:
+      - args:
+          url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: extract7
+        args:
+          code: |
+            () => {
+             return window.vulnerableprop
+            }
+    matchers:
+      - type: word
+        part: extract7
+        words:
+          - "polluted"
+
+  - steps:
+      - args:
+          url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: extract8
+        args:
+          code: |
+            () => {
+             return window.vulnerableprop
+            }
+    matchers:
+      - type: word
+        part: extract8
+        words:
+          - "polluted"
+
+# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950