id: prototype-pollution-check

info:
  name: Prototype Pollution Check
  author: pdteam
  severity: medium
  metadata:
    max-request: 8
    verified: true
  tags: headless

headless:
  - steps:
      - args:
          url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract1
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract1
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract2
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract2
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract3
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract3
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__proto__.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract4
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract4
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract5
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract5
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract6
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract6
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract7
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract7
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract8
        args:
          code: |
            () => {
             return window.vulnerableprop
            }

    matchers:
      - type: word
        part: extract8
        words:
          - "polluted"
# digest: 490a004630440220332d2eb43e6ee2b3b48ca3bd7b953693814ce81ca3c34fa2036bcbfc93482d6a02204efa7ecda7b863d46e7a42d80500a115097ba317b63547ed5c07a4124338dafc:922c64590222798bb761d5b6d8e72950