-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathproto-inject.js
88 lines (69 loc) · 2.61 KB
/
proto-inject.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
// Check for all objects in current DOM - paste into console
//
//
document.querySelectorAll('*').forEach(el => {
try {
let tag = el.tagName;
if (!window[tag]) {
// This checks if there's a global constructor for the tag
console.log(`No global constructor for: ${tag}`);
return;
}
const testProp = `testProp${Date.now()}`;
window[tag].prototype[testProp] = 'testValue';
if (el[testProp] === 'testValue') {
console.log(`Potential prototype pollution vulnerability found in ${tag}`);
}
delete window[tag].prototype[testProp]; // Attempt clean-up
} catch (error) {
console.error(`Error testing ${el.tagName}:`, error);
}
});
Output: VM295:6 No global constructor for: DIV
VM295:6 No global constructor for: PIN-PARAGRAPH
VM295:6 No global constructor for: P
VM295:6 No global constructor for: A
3VM295:6 No global constructor for: DIV
VM295:6 No global constructor for: PIN-PARAGRAPH
VM295:6 No global constructor for: P
VM295:6 No global constructor for: A
3VM295:6 No global constructor for: DIV
VM295:6 No global constructor for: PIN-PARAGRAPH
VM295:6 No global constructor for: P
VM295:6 No global constructor for: A
3VM295:6
---
// to get a list of ID's in use:
const allIds = [...new Set([...document.querySelectorAll('*')].map(el => el.id).filter(id => id))];
console.log(allIds);
document.querySelectorAll('*').forEach(el => {
try {
let tag = el.tagName;
if (!window[tag]) {
// This checks if there's a global constructor for the tag
console.log(`No global constructor for: ${tag}`);
return;
}
const testProp = `testProp${Date.now()}`;
window[tag].prototype[testProp] = 'testValue';
if (el[testProp] === 'testValue') {
console.log(`Potential prototype pollution vulnerability found in ${tag}`);
}
delete window[tag].prototype[testProp]; // Attempt clean-up
} catch (error) {
console.error(`Error testing ${el.tagName}:`, error);
}
});
Test Prototypes for pollution in inspect:
constructors.forEach(constructor => {
try {
const propName = 'polluted' + Math.random(); // Unique property name
constructor.prototype[propName] = "This is a test";
if ((new constructor())[propName] === "This is a test") {
console.log(`Vulnerable to prototype pollution: ${constructor.name}`);
}
delete constructor.prototype[propName]; // Clean up
} catch (error) {
console.log(`Error testing ${constructor.name}:`, error);
}
});