id: prototype-pollution-check info: name: Prototype Pollution Check author: pdteam severity: medium reference: - https://github.com/msrkp/PPScan tags: headless headless: - steps: - action: setheader args: part: response key: Content-Security-Policy value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;" - action: setheader args: part: response key: X-Frame-Options value: foo - action: setheader args: part: response key: If-None-Match value: foo - action: script args: hook: true code: | // Hooking code adapted from https://github.com/msrkp/PPScan/blob/main/scripts/content_script.js () => { window.alerts = []; logger = found => window.alerts.push(found); function check() { loc = location.href; if (loc.indexOf("e32a5ec9c99") >= 0 && loc.search("a0def12bce") == -1) { setTimeout(function() { if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60") { logger(location.href); } var url = new URL(location.origin + location.pathname); url.hash = "__proto__[a0def12bce]=ddcb362f1d60&__proto__.a0def12bce=ddcb362f1d60&dummy"; location = url.href; }, 5 * 1000); } else if (loc.search("a0def12bce") != -1) { setTimeout(function() { if (Object.prototype.a0def12bce == "ddcb362f1d60") { logger(location.href); } window.close(); }, 5 * 1000); } else { var url = new URL(loc); url.searchParams.append("__proto__[e32a5ec9c99]", "ddcb362f1d60"); url.searchParams.append("__proto__.e32a5ec9c99", "ddcb362f1d60"); location = url.href; } } window.onload = function() { if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") { logger(location.href); } else { check(); } }; var timerID = setInterval(function() { if (Object.prototype.e32a5ec9c99 == "ddcb362f1d60" || Object.prototype.a0def12bce == "ddcb362f1d60") { logger(location.href); clearInterval(timerID); } }, 5 * 1000); } - args: url: "{{BaseURL}}" action: navigate - action: waitload - action: script name: alerts args: code: window.alerts matchers: - type: word part: alerts words: - "__proto__" extractors: - type: kval part: alerts kval: - alerts