id: prototype-pollution-check info: name: Prototype Pollution Check author: pdteam severity: medium metadata: max-request: 4 tags: headless headless: - steps: - args: url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted" action: navigate - action: waitload - action: script name: extract args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract words: - "polluted" - steps: - args: url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted" action: navigate - action: waitload - action: script name: extract2 args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract2 words: - "polluted" - steps: - args: url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted" action: navigate - action: waitload - action: script name: extract3 args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract3 words: - "polluted" - steps: - args: url: "{{BaseURL}}?__proto__.vulnerableprop=polluted" action: navigate - action: waitload - action: script name: extract4 args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract4 words: - "polluted" # digest: 4b0a00483046022100b0180dde262d6546d4eaa2137bba9863bfae06d159d696ecee48335c5687e985022100ffa00bb4141f83c8ee22c5f25bad437dfe42db333565fa6c1285b3d29fae723e:922c64590222798bb761d5b6d8e72950