Home

Awesome

Client-Side Prototype Pollution Tools

Match rules for Burp Software Version Reporter extension

Match rules that passively detect vulnerable libraries even in minified JS code.

Rules: match_rules/match-rules.tab
Extension: Software Version Reporter

<img src="https://user-images.githubusercontent.com/3295867/132972901-d60e742e-a4ad-4759-a079-4f96b870e4b1.png" width="70%">

Prototype Checker

JS script that highlights custom fields in prototypes and constructors that can be useful in exploiting Prototype Pollution.

Script: prototype_checker/prototype_checker.js
Script Gadget Example: script.aculo.us XSS Script Gadget

Screenshot at 18-34-30

Burp pollute.js

pollute.js is a script that highlights access to uninitialized properties using code instrumentation. By adding a small script to it, you can replace all Burp Proxy HTTP responses with modified code.

Install

Now you can setup logging conditions in pollute.js PREAMBLE. For example, to search for DOM Clobbering gadgets, replace

obj instanceof Object

with

(obj instanceof Window || obj instanceof Document)

If you want to log access to properties only after Prototype Pollution has already triggered, add the condition

typeof Object.prototype[1337] != 'undefined'

and call the page with

?__proto__[1337]=xxx

Screenshot at 18-44-47