Prototype Pollution Check
ID: prototype-pollution-check
Severity: medium
Author: pdteam
Tags: headless
Description
Section titled “Description”YAML Source
Section titled “YAML Source”id: prototype-pollution-check
info: name: Prototype Pollution Check author: pdteam severity: medium metadata: max-request: 8 verified: true tags: headless
headless: - steps: - args: url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted" action: navigate
- action: waitload
- action: script name: extract1 args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract1 words: - "polluted"
- steps: - args: url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted" action: navigate
- action: waitload
- action: script name: extract2 args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract2 words: - "polluted"
- steps: - args: url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted" action: navigate
- action: waitload
- action: script name: extract3 args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract3 words: - "polluted"
- steps: - args: url: "{{BaseURL}}?__proto__.vulnerableprop=polluted" action: navigate
- action: waitload
- action: script name: extract4 args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract4 words: - "polluted"
- steps: - args: url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted" action: navigate
- action: waitload
- action: script name: extract5 args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract5 words: - "polluted"
- steps: - args: url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted" action: navigate
- action: waitload
- action: script name: extract6 args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract6 words: - "polluted"
- steps: - args: url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted" action: navigate
- action: waitload
- action: script name: extract7 args: code: | () => { return window.vulnerableprop } matchers: - type: word part: extract7 words: - "polluted"
- steps: - args: url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted" action: navigate
- action: waitload
- action: script name: extract8 args: code: | () => { return window.vulnerableprop }
matchers: - type: word part: extract8 words: - "polluted"# digest: 4a0a00473045022100f13ceb8a2f5cb2951a224b4cae1b6ebba91ff7c1ad2e3862a12f7824d74925080220462e096ee2dc84e717dc95341d96922eab4594202dce02cff5dad9aed5577b00:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "headless/prototype-pollution-check.yaml"