From 3d448d0f80e7411fd0f709690f0b0f90adfb06a7 Mon Sep 17 00:00:00 2001 From: h41th Date: Thu, 22 Aug 2024 22:33:45 +0200 Subject: [PATCH 1/2] Update prototype pollution checks to include matchers for insecure sanitization Added some steps to check for prototype pollution when there's insecure sanitization. Pulled from Portswigger Web Academy : https://portswigger.net/web-security/prototype-pollution/client-side#bypassing-flawed-key-sanitization --- headless/prototype-pollution-check.yaml | 83 ++++++++++++++++++++++++- 1 file changed, 82 insertions(+), 1 deletion(-) diff --git a/headless/prototype-pollution-check.yaml b/headless/prototype-pollution-check.yaml index 5489a5ce48..f5c7199944 100644 --- a/headless/prototype-pollution-check.yaml +++ b/headless/prototype-pollution-check.yaml @@ -88,4 +88,85 @@ headless: part: extract4 words: - "polluted" -# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + + - steps: + - args: + url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract5 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract5 + words: + - "polluted" + + - steps: + - args: + url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract6 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract6 + words: + - "polluted" + + - steps: + - args: + url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract7 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract7 + words: + - "polluted" + + - steps: + - args: + url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted" + action: navigate + + - action: waitload + + - action: script + name: extract8 + args: + code: | + () => { + return window.vulnerableprop + } + matchers: + - type: word + part: extract8 + words: + - "polluted" + +# digest: 490a0046304402203ff07b0c962c43a69dfc76af68fa56d67e2a9fd360759cc049f60b0881de88c402207dbfca6a94102f5a72926b28b0d10c3e80ad752625090dfb46f31c1774758f99:922c64590222798bb761d5b6d8e72950 From a381f221344cc47c88cc182bd565fa527fed890c Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 8 Oct 2024 14:22:54 +0530 Subject: [PATCH 2/2] minor-update --- headless/prototype-pollution-check.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/headless/prototype-pollution-check.yaml b/headless/prototype-pollution-check.yaml index f5c7199944..7788abb55f 100644 --- a/headless/prototype-pollution-check.yaml +++ b/headless/prototype-pollution-check.yaml @@ -5,7 +5,8 @@ info: author: pdteam severity: medium metadata: - max-request: 4 + max-request: 8 + verified: true tags: headless headless: @@ -17,7 +18,7 @@ headless: - action: waitload - action: script - name: extract + name: extract1 args: code: | () => { @@ -25,7 +26,7 @@ headless: } matchers: - type: word - part: extract + part: extract1 words: - "polluted" @@ -163,6 +164,7 @@ headless: () => { return window.vulnerableprop } + matchers: - type: word part: extract8