diff --git a/headless/prototype-pollution-check.yaml b/headless/prototype-pollution-check.yaml index 5489a5ce48..7788abb55f 100644 --- a/headless/prototype-pollution-check.yaml +++ b/headless/prototype-pollution-check.yaml @@ -5,7 +5,8 @@ info: author: pdteam severity: medium metadata: - max-request: 4 + max-request: 8 + verified: true tags: headless headless: @@ -17,7 +18,7 @@ headless: - action: waitload - action: script - name: extract + name: extract1 args: code: | () => { @@ -25,7 +26,7 @@ headless: } matchers: - type: word - part: extract + part: extract1 words: - "polluted" @@ -88,4 +89,86 @@ headless: part: extract4 words: - "polluted" -# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + + - steps: + - args: + url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract5 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract5 + words: + - "polluted" + + - steps: + - args: + url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract6 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract6 + words: + - "polluted" + + - steps: + - args: + url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract7 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract7 + words: + - "polluted" + + - steps: + - args: + url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract8 + args: + code: | + () => { + return window.vulnerableprop + } + + matchers: + - type: word + part: extract8 + words: + - "polluted" + +# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950