headless/prototype-pollution-check.yaml

id: prototype-pollution-check

info:
  name: Prototype Pollution Check
  author: pdteam
  severity: medium
  metadata:
    max-request: 8
    verified: true
  tags: headless

headless:
  - steps:
      - args:
          url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract1
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract1
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract2
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract2
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract3
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract3
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__proto__.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract4
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract4
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract5
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract5
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract6
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract6
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract7
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract7
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract8
        args:
          code: |
            () => {
             return window.vulnerableprop
            }

    matchers:
      - type: word
        part: extract8
        words:
          - "polluted"
# digest: 4a0a00473045022100f13ceb8a2f5cb2951a224b4cae1b6ebba91ff7c1ad2e3862a12f7824d74925080220462e096ee2dc84e717dc95341d96922eab4594202dce02cff5dad9aed5577b00:922c64590222798bb761d5b6d8e72950
Adding headless templates 2021-03-10 14:03:40 +05:30			`id: prototype-pollution-check`

			`info:`
			`name: Prototype Pollution Check`
misc tag updates 2021-04-06 12:16:11 +05:30			`author: pdteam`
Adding headless templates 2021-03-10 14:03:40 +05:30			`severity: medium`
TemplateMan Update [Tue Oct 31 10:54:20 UTC 2023] :robot: 2023-10-31 10:54:20 +00:00			`metadata:`
chore: update TemplateMan 🤖 2025-05-27 02:29:19 +00:00			`max-request: 8`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00			`verified: true`
Adding headless templates 2021-03-10 14:03:40 +05:30			`tags: headless`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
Adding headless templates 2021-03-10 14:03:40 +05:30			`headless:`
			`- steps:`
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`- args:`
			`url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted"`
			`action: navigate`

			`- action: waitload`

Adding headless templates 2021-03-10 14:03:40 +05:30			`- action: script`
minor-update 2024-10-08 14:22:54 +05:30			`name: extract1`
Adding headless templates 2021-03-10 14:03:40 +05:30			`args:`
			`code: \|`
Fix code execution in headless templates (#4484) * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 2022-07-28 14:21:08 +03:00			`() => {`
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`return window.vulnerableprop`
			`}`
			`matchers:`
			`- type: word`
minor-update 2024-10-08 14:22:54 +05:30			`part: extract1`
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`words:`
			`- "polluted"`
templateman update 2023-10-14 16:57:55 +05:30
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`- steps:`
			`- args:`
			`url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted"`
			`action: navigate`
Adding headless templates 2021-03-10 14:03:40 +05:30
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`- action: waitload`
Adding headless templates 2021-03-10 14:03:40 +05:30
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`- action: script`
			`name: extract2`
			`args:`
			`code: \|`
			`() => {`
			`return window.vulnerableprop`
			`}`
			`matchers:`
			`- type: word`
			`part: extract2`
			`words:`
			`- "polluted"`
Adding headless templates 2021-03-10 14:03:40 +05:30
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`- steps:`
Adding headless templates 2021-03-10 14:03:40 +05:30			`- args:`
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted"`
Adding headless templates 2021-03-10 14:03:40 +05:30			`action: navigate`
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00
Adding headless templates 2021-03-10 14:03:40 +05:30			`- action: waitload`
misc fixes to headless template (#5239) 2022-08-29 14:40:50 +05:30
Adding headless templates 2021-03-10 14:03:40 +05:30			`- action: script`
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`name: extract3`
Adding headless templates 2021-03-10 14:03:40 +05:30			`args:`
misc fixes to headless template (#5239) 2022-08-29 14:40:50 +05:30			`code: \|`
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`() => {`
			`return window.vulnerableprop`
			`}`
Adding headless templates 2021-03-10 14:03:40 +05:30			`matchers:`
			`- type: word`
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`part: extract3`
Adding headless templates 2021-03-10 14:03:40 +05:30			`words:`
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`- "polluted"`
templateman update 2023-10-14 16:57:55 +05:30
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`- steps:`
			`- args:`
			`url: "{{BaseURL}}?__proto__.vulnerableprop=polluted"`
			`action: navigate`
misc fixes to headless template (#5239) 2022-08-29 14:40:50 +05:30
Simpler Prototype pollution template 2023-01-09 20:13:13 +04:00			`- action: waitload`

			`- action: script`
			`name: extract4`
			`args:`
			`code: \|`
			`() => {`
			`return window.vulnerableprop`
			`}`
			`matchers:`
			`- type: word`
			`part: extract4`
			`words:`
			`- "polluted"`
Update prototype pollution checks to include matchers for insecure sanitization Added some steps to check for prototype pollution when there's insecure sanitization. Pulled from Portswigger Web Academy : https://portswigger.net/web-security/prototype-pollution/client-side#bypassing-flawed-key-sanitization 2024-08-22 22:33:45 +02:00
			`- steps:`
			`- args:`
			`url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted"`
			`action: navigate`

			`- action: waitload`

			`- action: script`
			`name: extract5`
			`args:`
			`code: \|`
			`() => {`
			`return window.vulnerableprop`
			`}`
			`matchers:`
			`- type: word`
			`part: extract5`
			`words:`
			`- "polluted"`

			`- steps:`
			`- args:`
			`url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted"`
			`action: navigate`

			`- action: waitload`

			`- action: script`
			`name: extract6`
			`args:`
			`code: \|`
			`() => {`
			`return window.vulnerableprop`
			`}`
			`matchers:`
			`- type: word`
			`part: extract6`
			`words:`
			`- "polluted"`

			`- steps:`
			`- args:`
			`url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted"`
			`action: navigate`

			`- action: waitload`

			`- action: script`
			`name: extract7`
			`args:`
			`code: \|`
			`() => {`
			`return window.vulnerableprop`
			`}`
			`matchers:`
			`- type: word`
			`part: extract7`
			`words:`
			`- "polluted"`

			`- steps:`
			`- args:`
			`url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted"`
			`action: navigate`

			`- action: waitload`

			`- action: script`
			`name: extract8`
			`args:`
			`code: \|`
			`() => {`
			`return window.vulnerableprop`
			`}`
minor-update 2024-10-08 14:22:54 +05:30
Update prototype pollution checks to include matchers for insecure sanitization Added some steps to check for prototype pollution when there's insecure sanitization. Pulled from Portswigger Web Academy : https://portswigger.net/web-security/prototype-pollution/client-side#bypassing-flawed-key-sanitization 2024-08-22 22:33:45 +02:00			`matchers:`
			`- type: word`
			`part: extract8`
			`words:`
			`- "polluted"`
chore: sign templates 🤖 2024-12-01 13:57:55 +00:00			`# digest: 4a0a00473045022100f13ceb8a2f5cb2951a224b4cae1b6ebba91ff7c1ad2e3862a12f7824d74925080220462e096ee2dc84e717dc95341d96922eab4594202dce02cff5dad9aed5577b00:922c64590222798bb761d5b6d8e72950`