92 lines
2.1 KiB
YAML
92 lines
2.1 KiB
YAML
id: prototype-pollution-check
|
|
|
|
info:
|
|
name: Prototype Pollution Check
|
|
author: pdteam
|
|
severity: medium
|
|
metadata:
|
|
max-request: 4
|
|
tags: headless
|
|
headless:
|
|
- steps:
|
|
- args:
|
|
url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted"
|
|
action: navigate
|
|
|
|
- action: waitload
|
|
|
|
- action: script
|
|
name: extract
|
|
args:
|
|
code: |
|
|
() => {
|
|
return window.vulnerableprop
|
|
}
|
|
matchers:
|
|
- type: word
|
|
part: extract
|
|
words:
|
|
- "polluted"
|
|
|
|
- steps:
|
|
- args:
|
|
url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted"
|
|
action: navigate
|
|
|
|
- action: waitload
|
|
|
|
- action: script
|
|
name: extract2
|
|
args:
|
|
code: |
|
|
() => {
|
|
return window.vulnerableprop
|
|
}
|
|
matchers:
|
|
- type: word
|
|
part: extract2
|
|
words:
|
|
- "polluted"
|
|
|
|
- steps:
|
|
- args:
|
|
url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted"
|
|
action: navigate
|
|
|
|
- action: waitload
|
|
|
|
- action: script
|
|
name: extract3
|
|
args:
|
|
code: |
|
|
() => {
|
|
return window.vulnerableprop
|
|
}
|
|
matchers:
|
|
- type: word
|
|
part: extract3
|
|
words:
|
|
- "polluted"
|
|
|
|
- steps:
|
|
- args:
|
|
url: "{{BaseURL}}?__proto__.vulnerableprop=polluted"
|
|
action: navigate
|
|
|
|
- action: waitload
|
|
|
|
- action: script
|
|
name: extract4
|
|
args:
|
|
code: |
|
|
() => {
|
|
return window.vulnerableprop
|
|
}
|
|
matchers:
|
|
- type: word
|
|
part: extract4
|
|
words:
|
|
- "polluted"
|
|
|
|
# digest: 4b0a00483046022100b0180dde262d6546d4eaa2137bba9863bfae06d159d696ecee48335c5687e985022100ffa00bb4141f83c8ee22c5f25bad437dfe42db333565fa6c1285b3d29fae723e:922c64590222798bb761d5b6d8e72950
|