Skip to content
main
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

Client-Side Prototype Pollution Tools

Match rules for Burp Software Version Reporter extension

Match rules that passively detect vulnerable libraries even in minified JS code.

Rules: match_rules/match-rules.tab
Extension: Software Version Reporter

Prototype Checker

JS script that highlights custom fields in prototypes and constructors that can be useful in exploiting Prototype Pollution.

Script: prototype_checker/prototype_checker.js
Script Gadget Example: script.aculo.us XSS Script Gadget

Screenshot at 18-34-30

Burp pollute.js

pollute.js is a script that highlights access to uninitialized properties using code instrumentation. By adding a small script to it, you can replace all Burp Proxy HTTP responses with modified code.

Install

  • Install pollute.js dependencies
  • Setup webserver to run pollute.js using pollute.php (or write your own wrapper)
  • Customize your link in POLLUTE_JS
  • Build Burp Suite extension

Now you can setup logging conditions in pollute.js PREAMBLE. For example, to search for DOM Clobbering gadgets, replace

obj instanceof Object

with

(obj instanceof Window || obj instanceof Document)

If you want to log access to properties only after Prototype Pollution has already triggered, add the condition

typeof Object.prototype[1337] != 'undefined'

and call the page with

?__proto__[1337]=xxx

Screenshot at 18-44-47

About

Client-Side Prototype Pollution Tools

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published