Prototype pollution scanner using headless chrome

plution

Prototype pollution scanner using headless chrome

alt text

What this is

Plution is a convenient way to scan at scale for pages that are vulnerable to client side prototype pollution via a URL payload. In the default configuration, it will use a hardcoded payload that can detect 11 of the cases documented here: https://github.com/BlackFan/client-side-prototype-pollution/tree/master/pp

What this is not

This is not a one stop shop. Prototype pollution is a complicated beast. This tool does nothing you couldn't do manually. This is not a polished bug-free super tool. It is functional but poorly coded and to be considered alpha at best.

How it works

Plution appends a payload to supplied URLs, naviguates to each URL with headless chrome and runs javascript on the page to verify if a prototype was successfully polluted.

how it is used

  • Basic scan, output only to screen:
    cat URLs.txt | plution

  • Scan with a supplied payload rather than hardcoded one:
    cat URLs.txt|plution -p '__proto__.zzzc=example'
    Note on custom payloads: The variable you are hoping to inject must be called or render to "zzzc". This is because 'window.zzzc' will be run on each page to verify pollution.

  • Output:
    Passing '-o' followed by a location will output only URLs of pages that were successfully polluted.

  • Concurrency:

  • Pass the '-c' option to specify how many concurrent jobs are run (default is 5)

questions and answers

  • How do I install it?
    go get -u github.com/raverrr/plution

  • why specifically limit it to checking if window.zzzc is defined?
    zzzc is a short pattern that is unlikely to already be in a prototype. If you want more freedom in regards to the javascript use https://github.com/detectify/page-fetch instead

  • Got a more specific question?
    Ask me on twitter @divadbate.

Owner
null
https://github.com/raverrr/plution
Similar Resources

A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g

Jan 9, 2023

🔍 gowitness - a golang, web screenshot utility using Chrome Headless

🔍 gowitness A golang, web screenshot utility using Chrome Headless. introduction gowitness is a website screenshot utility written in Golang, that us

Jan 9, 2023

Fetch web pages using headless Chrome, storing all fetched resources including JavaScript files

Fetch web pages using headless Chrome, storing all fetched resources including JavaScript files. Run arbitrary JavaScript on many web pages and see the returned values

Dec 29, 2022

Proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability.

proto-find proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability. How it works proto-find open URL in

Dec 6, 2022

crawlergo is a browser crawler that uses chrome headless mode for URL collection.

crawlergo is a browser crawler that uses chrome headless mode for URL collection.

A powerful browser crawler for web vulnerability scanners

Dec 29, 2022

Chrome-Password-Dumper - Chrome password dumper written in Go for Linux and Windows

Chrome-Password-Dumper Chrome password dumper written in Go for Linux and Window

Dec 19, 2022

A tool to solve DNS pollution of GitHub website. Query the real IP address of domain names such as github.com, and refresh the domain name setting of the system hosts file.

githubDNS Target A tool to solve DNS pollution of GitHub website. Query the real IP address of domain names such as github.com, and refresh the domain

Oct 14, 2021

A BitMessage headless client and library

bitz A BitMessage headless client and library. The initial focus is to implement the BitMessage protocol and provide a library that others can use. Sp

Nov 26, 2020

Headless CMS with automatic JSON API. Featuring auto-HTTPS from Let's Encrypt, HTTP/2 Server Push, and flexible server framework written in Go.

Headless CMS with automatic JSON API. Featuring auto-HTTPS from Let's Encrypt, HTTP/2 Server Push, and flexible server framework written in Go.

Ponzu Watch the video introduction Ponzu is a powerful and efficient open-source HTTP server framework and CMS. It provides automatic, free, and secur

Dec 28, 2022

Example blog built with Go and the Cosmic Headless CMS 🔥

Example blog built with Go and the Cosmic Headless CMS 🔥

Go + Cosmic This repo contains an example blog starter that is built with Go, and Cosmic. See live demo hosted on Heroku Prerequisites Go (I recommend

May 8, 2022

Gbu-scanner - Go Blog Updates (Scanner service)

Go Blog Updates - Scanner This service scans go blog (go.dev) and publishes new posts to message broker (rabbitmq). It uses mongodb as a storage for a

Jan 10, 2022

GONET-Scanner - Golang network scanner with arp discovery and own parser

GONET-Scanner - Golang network scanner with arp discovery and own parser

GO/NET Scanner ScreenShots Install chmod +x install.sh ./install.sh [as root] U

Dec 11, 2022

A prototype of a plugin system in Go using syscalls (execve)

Talking binaries Creating a viable plugin system in Go is challenging. Some avenues (and architectural examples) I considered are: go-plugin Go plugin

Jan 24, 2022

Package cdp provides type-safe bindings for the Chrome DevTools Protocol (CDP), written in the Go programming language.

cdp Package cdp provides type-safe bindings for the Chrome DevTools Protocol (CDP), written in the Go programming language. The bindings are generated

Jan 7, 2023

A faster, simpler way to drive browsers supporting the Chrome DevTools Protocol.

About chromedp Package chromedp is a faster, simpler way to drive browsers supporting the Chrome DevTools Protocol in Go without external dependencies

Jan 4, 2023

libraries for various programming languages that make it easy to generate per-process trace files that can be loaded into chrome://tracing

libraries for various programming languages that make it easy to generate per-process trace files that can be loaded into chrome://tracing

chrometracing: chrome://tracing trace_event files The chrometracing directory contains libraries for various programming languages that make it easy t

Oct 6, 2022

使用 Golang+Chrome+OpenCV 破解腾讯滑块验证码

使用 Golang+Chrome+OpenCV 破解腾讯滑块验证码

一、背景 滑块验证码是一项人机识别技术,操作简单,真人体验好,机器识别效果也不差,可以有效防止脚本做任务,增加机器脚本薅羊毛的难度。但其破解也相对简单,这里演示一个Demo,以了解。通过 OpenCV 匹配找出滑块位置,计算出滑动距离,然后模拟 js 鼠标事件,在 Chrome 控制台执行脚本,完成

Dec 28, 2022

A faster, simpler way to drive browsers supporting the Chrome DevTools Protocol.

About chromedp Package chromedp is a faster, simpler way to drive browsers supporting the Chrome DevTools Protocol in Go without external dependencies

Dec 28, 2022

A program for extracting information from chrome session files.

What A tool for dumping the contents of chrome session files. Why? Most tools for reading SNSS files (chrome session files) are either broken or outda

Nov 23, 2022
Comments
  • unable to install and use

    unable to install and use

    go install github.com/raverrr/plution@latest used go install since go get is not working anymore.

    results :

    go: downloading github.com/raverrr/plution v0.0.0-20210801124607-0a45d4e24ae4
go: finding module for package github.com/fatih/color
go: finding module for package github.com/chromedp/chromedp
go: downloading github.com/chromedp/chromedp v0.7.8
go: downloading github.com/fatih/color v1.13.0
go: found github.com/chromedp/chromedp in github.com/chromedp/chromedp v0.7.8
go: found github.com/fatih/color in github.com/fatih/color v1.13.0
go: downloading github.com/mattn/go-colorable v0.1.9
go: downloading github.com/mattn/go-isatty v0.0.14
go: downloading github.com/chromedp/cdproto v0.0.0-20220217222649-d8c14a5c6edf
go: downloading github.com/gobwas/ws v1.1.0
go: downloading golang.org/x/sys v0.0.0-20220209214540-3681064d5158

    $ cat URLs.txt | plution
    cat: URLs.txt: No such file or directory plution: command not found

  • how to install?

    how to install?

    how to install?

    go build plution.go

    go get -u github.com/raverrr/plution

    Error:

    go: go.mod file not found in current directory or any parent directory.
	'go get' is no longer supported outside a module.
	To build and install a command, use 'go install' with a version,
	like 'go install example.com/cmd@latest'
	For more information, see https://golang.org/doc/go-get-install-deprecation
	or run 'go help get' or 'go help install'.
  • add load file option

    add load file option

    Hi @raverrr .

    its a very good tool, but can you add a load file option like plution -l urls.txt

    reference https://stackoverflow.com/questions/8757389/reading-a-file-line-by-line-in-go

    Thanks

Related tags
Testing Frameworks plution
A faster, simpler way to drive browsers supporting the Chrome DevTools Protocol.

About chromedp Package chromedp is a faster, simpler way to drive browsers supporting the Chrome DevTools Protocol in Go without external dependencies

Jan 4, 2023
A faster, simpler way to drive browsers supporting the Chrome DevTools Protocol.

About chromedp Package chromedp is a faster, simpler way to drive browsers supporting the Chrome DevTools Protocol in Go without external dependencies

Dec 28, 2022
Generate PlantUML diagrams from Chrome or Firefox network inspections

hoofli Generate PlantUML diagrams from Chrome or Firefox network inspections This tool reads browser HAR files stored on your local disk and transform

Nov 15, 2022
Check your internet speed right from your terminal. Built on GOlang using chromedp
 Check your internet speed right from your terminal. Built on GOlang using chromedp

adhocore/fast A GO lang command line tool to check internet speed right from the terminal. Uses fast.com through headless chrome. Prerequistie Chrome

Dec 26, 2022
Robust framework for running complex workload scenarios in isolation, using Go; for integration, e2e tests, benchmarks and more! 💪

e2e Go Module providing robust framework for running complex workload scenarios in isolation, using Go and Docker. For integration, e2e tests, benchma

Jan 5, 2023
siusiu (suite-suite harmonics) a suite used to manage the suite, designed to free penetration testing engineers from learning and using various security tools, reducing the time and effort spent by penetration testing engineers on installing tools, remembering how to use tools.
 siusiu (suite-suite harmonics) a suite used to manage the suite, designed to free penetration testing engineers from learning and using various security tools, reducing the time and effort spent by penetration testing engineers on installing tools, remembering how to use tools.

siusiu (suite-suite harmonics) a suite used to manage the suite, designed to free penetration testing engineers from learning and using various security tools, reducing the time and effort spent by penetration testing engineers on installing tools, remembering how to use tools.

Dec 12, 2022
An example of using Oracle DB with Golang

Golang Oracle DB Example This is a small example of connect and use Oracle DB in Golang Container Database: Username: SYS Role: SYSDBA Password: Orado

Nov 22, 2022
A simple mock server configurable via JSON, built using GoLang.
A simple mock server configurable via JSON, built using GoLang.

GoMock Server A simple mock server configurable via JSON, built using GoLang. How To A file name endpoint.json must be placed in the context root, wit

Nov 19, 2022
Snapshot - snapshot provides a set of utility functions for creating and loading snapshot files for using snapshot tests.

Snapshot - snapshot provides a set of utility functions for creating and loading snapshot files for using snapshot tests.

Jan 27, 2022
Prototype Pollution Scanner

protoscan Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021 https://www.youtube.com/watch?v=Gv1nK6Wj8qM I

Dec 25, 2022