JSPanda - Client-Side Prototype Pullution Vulnerability Scanner

      No comments   

JSpanda is client-side prototype pollution vulnerability scanner. It has two key features, scanning vulnerability the supplied URLs and analyzing the JavaScript libraries' source code.

However, JSpanda cannot detect advanced prototype pollution vulnerabilities.

How JSPanda works?
  • Uses multiple payloads for prototype pollution vulnerability.
  • Gathers all the links in the targets for scanning and add payloads to JSpanda-obtained URLs, navigates to each URL with headless Chromedriver.
  • Scans all words in the source code of potentially vulnerable JavaScript library and it creates a simple JS PoC by finding the script gadget, helping you analyze the code manually.

Requirements
  • Download latest version of Google Chrome and Chromedriver
  • Selenium

Usage

Scan: python3.7 jspanda.py

  • Add URLs to url.txt file, for instance : example.com

Basic Source Code Analysis : python3.7 analyze.py

  • Add a JavaScript library's source code to analyze.js
  • Generate PoC code using analyze.py
  • Execute PoC code on Chrome's console. It pollutes all the words collected from the source code and show it on the screen. So it may generate false positive results. These outputs provide additional information to researchers, do not automate everything.

Demonstration

client-side prototype pullution vulnerability scanner (2)


Source code analysis - Screenshot

Supporting Materials :

https://twitter.com/har1sec/status/1314469278322655233

https://github.com/BlackFan/client-side-prototype-pollution

https://github.com/ThePacketBender/notes/blob/01c0b834f6e3ee4d934b087b2d92c9e484dc2a50/web/prototype_pollution.txt

https://habr.com/ru/company/huawei/blog/547178/

https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2

https://github.com/securitum/research/tree/master/r2020_prototype-pollution

Learn Prototype Pollution in Series - Part 2

dwisiswant0/ppfuzz

GitHub - raverrr/plution: Prototype pollution scanner using headless chrome

JavaScript Prototype Poisoning Vulnerabilities in the Wild

The Complete Guide to Prototype Pollution Vulnerabilities

Adblock test (Why?)


You may be interested in:
>> Is a Chromebook worth replacing a Windows laptop?
>> Find out in detail the outstanding features of Google Pixel 4a
>> Top 7 best earbuds you should not miss

Related Posts:
>> Recognizing 12 Basic Body Shapes To Choose Better Clothes
>>Ranking the 10 most used smart technology devices
>> Top 5+ Best E-readers: Compact & Convenient Pen

0 Comments:

Post a Comment