Merge pull request #10589 from h41th/patch-1

Update prototype pollution checks that bypasses insecure sanitization
2024-10-15 12:02:41 +04:00 · 2024-10-15 12:02:41 +04:00 · 5496de87c6
parent 7110667d97 a381f22134
commit 5496de87c6
1 changed files with 87 additions and 4 deletions
--- a/headless/prototype-pollution-check.yaml
+++ b/headless/prototype-pollution-check.yaml
@ -5,7 +5,8 @@ info:
  author: pdteam
  severity: medium
  metadata:
-    max-request: 4
+    max-request: 8
+    verified: true
  tags: headless

 headless:
@ -17,7 +18,7 @@ headless:
      - action: waitload

      - action: script
-        name: extract
+        name: extract1
        args:
          code: |
            () => {
@ -25,7 +26,7 @@ headless:
            }
    matchers:
      - type: word
-        part: extract
+        part: extract1
        words:
          - "polluted"

@ -88,4 +89,86 @@ headless:
        part: extract4
        words:
          - "polluted"
-# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950
+
+  - steps:
+      - args:
+          url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: extract5
+        args:
+          code: |
+            () => {
+             return window.vulnerableprop
+            }
+    matchers:
+      - type: word
+        part: extract5
+        words:
+          - "polluted"
+
+  - steps:
+      - args:
+          url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: extract6
+        args:
+          code: |
+            () => {
+             return window.vulnerableprop
+            }
+    matchers:
+      - type: word
+        part: extract6
+        words:
+          - "polluted"
+
+  - steps:
+      - args:
+          url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: extract7
+        args:
+          code: |
+            () => {
+             return window.vulnerableprop
+            }
+    matchers:
+      - type: word
+        part: extract7
+        words:
+          - "polluted"
+
+  - steps:
+      - args:
+          url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: extract8
+        args:
+          code: |
+            () => {
+             return window.vulnerableprop
+            }
+
+    matchers:
+      - type: word
+        part: extract8
+        words:
+          - "polluted"
+
+# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950