Prototype Pollution Fuzzer
A fast tool to scan client-side prototype pollution vulnerability written in Rust. 🦀
- Installation
- Demonstration
- Usage
- Usage
- Supporting Materials
- Contributing
- Attribution
- Acknowledments
- License
Simply, download a pre-built binary from releases page and run!
NOTE: Rust should be installed! |
Using cargo
:
â–¶ cargo install ppfuzz
Manual building executable from source code:
â–¶ git clone https://github.com/dwisiswant0/ppfuzz
â–¶ cd ppfuzz && cargo build --release
# binary file located at target/release/ppfuzz
ppfuzz uses chromiumoxide, which requires Chrome or Chromium browser to be installed.
If the CHROME
environment variable is set, then it'll use it as the default executable. Otherwise, the filenames google-chrome-stable
, chromium
, chromium-browser
, chrome
and chrome-browser
are searched for in standard places. If that fails, /Applications/Google Chrome.app/...
(on MacOS) or the registry (on Windows) is consulted.
As you can see in the demo above (click to view in high-quality), ppfuzz attempts to check for prototype-pollution vulnerabilities by adding an object & pointer queries, if it's indeed vulnerable: it'll fingerprinting the script gadgets used and then display additional payload info that could potentially escalate its impact to XSS, bypass or cookie injection.
It's fairly simple to use ppfuzz!
â–¶ ppfuzz -l FILE [OPTIONS]
Use -l/--list
to provide input list:
â–¶ ppfuzz -l FILE
You can also provide the list using I/O redirection:
â–¶ ppfuzz < FILE
— or chain it from another command output:
â–¶ cat FILE | ppfuzz
Only show vulnerable targets/suppress an errors:
â–¶ ppfuzz -l FILE 2>/dev/null
Here are all the options it supports:
â–¶ ppfuzz -h
Flag | Description | Default value |
---|---|---|
-l, --list | List of target URLs | |
-c, --concurrency | Set the concurrency level | 5 |
-t, --timeout | Max. time allowed for connection (s) | 30 |
-h, --help | Prints help information | |
-V, --version | Prints version information |
- Nuclei templates
- PPScan
- Prototype Pollution and useful Script Gadgets
- JavaScript prototype pollution attack in NodeJS
- Prototype pollution – and bypassing client-side HTML sanitizers
When I started ppfuzz, I had very little or no knowledge on Rust and I believe there may be a lot of drawbacks/security vulnerabilities. So all contributions are welcome, of course — any bug reports & suggestions are appreciated, some environment have not been tested yet.
Besides being my learning medium, this tool was created because it was inspired by @R0X4R's tip on how to automate prototype pollution checking using page-fetch.
Cross-compile GitHub workflow inspired by crodjer's sysit.
Since this tool includes some contributions, I'll publically thank the following users for their helps and resources:
- @mattsse - for his awesome chromiumoxide & mentoring me which helped a lot to quickly adapt Rust!
Fourty2#4842
(Discord) - for helpful workaround.- All contributors.
ppfuzz is distributed under MIT. See LICENSE
.