Client-Side Prototype Pollution Tools

September 21, 2021 · View on GitHub

Match rules for Burp Software Version Reporter extension

Match rules that passively detect vulnerable libraries even in minified JS code.

Rules: match_rules/match-rules.tab
Extension: Software Version Reporter

Prototype Checker

JS script that highlights custom fields in prototypes and constructors that can be useful in exploiting Prototype Pollution.

Script: prototype_checker/prototype_checker.js
Script Gadget Example: script.aculo.us XSS Script Gadget

Screenshot at 18-34-30

Burp pollute.js

pollute.js is a script that highlights access to uninitialized properties using code instrumentation. By adding a small script to it, you can replace all Burp Proxy HTTP responses with modified code.

Install

Install pollute.js dependencies
Setup webserver to run pollute.js using pollute.php (or write your own wrapper)
Customize your link in POLLUTE_JS
Build Burp Suite extension

Now you can setup logging conditions in pollute.js PREAMBLE. For example, to search for DOM Clobbering gadgets, replace

obj instanceof Object

with

(obj instanceof Window || obj instanceof Document)

If you want to log access to properties only after Prototype Pollution has already triggered, add the condition

typeof Object.prototype[1337] != 'undefined'

and call the page with

?__proto__[1337]=xxx

Screenshot at 18-44-47