A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

Overview

ppmap

A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the global context) to perform XSS via Prototype Pollution. NOTE: The program only exploits known gadgets, but does not cover code analysis or any advanced Prototype Pollution exploitation, which may include custom gadgets.

Requirements

Make sure to have chromedp installed:
go get -u github.com/chromedp/chromedp

Installation

  • Automatically

    • Download the already compiled binary here
  • Manually (compile it yourself)

    • Clone the project:
      git clone https://github.com/kleiton0x00/ppmap.git
    • Change directory to ppmap folder:
      cd ~/ppmap
    • Build the binary
      go build ppmap.go

Usage

Using the program is very simple you can either:

  • scan a directory/file: echo 'https://target.com/index.html' | ./ppmap

  • or endpoint: echo 'http://target.com/something/?page=home' | ./ppmap

For mass scanning:
cat url.txt | ./ppmap where url.txt contains all url(s) in column.

Demo

Features

  • Identify if the website is vulnerable to Prototype Pollution by heuristic scan
  • Fingerprint the known gadgets (checks for specific variables in the global context)
  • Display the final exploit & ready to perform XSS

Credits

Many thanks to @Tomnomnom for the inspiration: https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s
The workflow of this program is hugely based on this article: https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2
The fingerprint javascript file is based on this git: https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec

Issues
  • Add the location.hash source

    Add the location.hash source

    Hi,

    Some web pages may use the "location.hash" to read the hash value. It's better to check this source along with the "location.search". The following code uses a vulnerable gadget (jquery deparam) to read the hash value.

    Payload for this gadget: ?__proto__[onload]=alert(1) Case-1: location.search -> ppmap detects the pollution and generates the above payload Case-2: location.hash -> ppmap does not detect the pollution

    XSS Challenge from r/Slackers
    opened by bnematzadeh 5
  • Error on running

    Error on running

        c:\go\src\github.com\chromedp\cdproto\page (from $GOROOT)
        C:\Users\Yaseen\go\src\github.com\chromedp\cdproto\page (from $GOPATH)
    

    ........\go\src\github.com\chromedp\chromedp\browser.go:18:2: cannot find package "github.com/chromedp/cdproto/runtime" in any of: c:\go\src\github.com\chromedp\cdproto\runtime (from $GOROOT) C:\Users\Yaseen\go\src\github.com\chromedp\cdproto\runtime (from $GOPATH) ........\go\src\github.com\chromedp\chromedp\browser.go:19:2: cannot find package "github.com/chromedp/cdproto/target" in any of: c:\go\src\github.com\chromedp\cdproto\target (from $GOROOT) C:\Users\Yaseen\go\src\github.com\chromedp\cdproto\target (from $GOPATH) ........\go\src\github.com\chromedp\chromedp\conn.go:9:2: cannot find package "github.com/gobwas/ws" in any of: c:\go\src\github.com\gobwas\ws (from $GOROOT) C:\Users\Yaseen\go\src\github.com\gobwas\ws (from $GOPATH) ........\go\src\github.com\chromedp\chromedp\conn.go:10:2: cannot find package "github.com/gobwas/ws/wsutil" in any of: c:\go\src\github.com\gobwas\ws\wsutil (from $GOROOT) C:\Users\Yaseen\go\src\github.com\gobwas\ws\wsutil (from $GOPATH) ........\go\src\github.com\chromedp\chromedp\browser.go:13:2: cannot find package "github.com/mailru/easyjson" in any of: c:\go\src\github.com\mailru\easyjson (from $GOROOT) C:\Users\Yaseen\go\src\github.com\mailru\easyjson (from $GOPATH) ........\go\src\github.com\chromedp\chromedp\conn.go:11:2: cannot find package "github.com/mailru/easyjson/jlexer" in any of: c:\go\src\github.com\mailru\easyjson\jlexer (from $GOROOT) C:\Users\Yaseen\go\src\github.com\mailru\easyjson\jlexer (from $GOPATH) ........\go\src\github.com\chromedp\chromedp\conn.go:12:2: cannot find package "github.com/mailru/easyjson/jwriter" in any of: c:\go\src\github.com\mailru\easyjson\jwriter (from $GOROOT) C:\Users\Yaseen\go\src\github.com\mailru\easyjson\jwriter (from $GOPATH)

    I am getting this error on building. i have chromium installed

    opened by hellofresh01 4
  • Taking Too Long

    Taking Too Long

    Hi As I start this tool it only shows that it's starting and only (?constructor%5Bprototype%5D%5Bppmap%5D=reserved) this is executed and then it just keeps on working. Even I had given him an hour but still no result and not even a next payload. Can you kindly guide me with this problem.

    opened by awais922609 4
  • not running

    not running

    Downloaded the precompiled binary and tried running ppmap but gave "permission denied"

    When I tried with sudo it says "command not found"

    opened by anindya14 2
  • License needed

    License needed

    Please provide information about the licence for this software, because without this the tool cannot be used in environments requiring strict software regulations.

    opened by jakub-botwicz 1
  • Idea: use js-library-detector for broader gadgets detection

    Idea: use js-library-detector for broader gadgets detection

    There's an npm project at https://www.npmjs.com/package/js-library-detector which provides code/library that you can run to detect which libraries exist on the page. Very similar to the gadgets detection that you referenced in the https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec snippet.

    opened by lirantal 1
  • Awesome job!

    Awesome job!

    Hi Kleiton,

    Great job putting this together! It's handy to run quick scans and demonstrate the issue in general for awareness and education reasons.

    Thanks ❤️

    opened by lirantal 1
  • accommodating a more standard import

    accommodating a more standard import

    For a better reading, all packages must be grouped within the same import, although nothing changes if they are declared individually since the compiler reads it in the same way, but it is more idiomatic to do it this way especially for other developers

    opened by GuillermoMajano 0
Releases(v1.2.0)
Owner
kleiton0x00
Kleiton Kurti is an Infosec Self-Learner and a Bug Hunter in his free time.
kleiton0x00
Prototype Pollution Scanner

protoscan Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021 https://www.youtube.com/watch?v=Gv1nK6Wj8qM I

Kathan Patel 79 Jul 21, 2022
go-xss is a module used to filter input from users to prevent XSS attacks

go-xss 根据白名单过滤 HTML(防止 XSS 攻击) go-xss is a module used to filter input from users to prevent XSS attacks go-xss是一个用于对用户输入的内容进行过滤,以避免遭受 XSS 攻击的模块

solar 30 Aug 1, 2022
Proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability.

proto-find proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability. How it works proto-find open URL in

null 49 Jul 17, 2022
Exploitation of CVE-2018-18925 a Remote Code Execution against the Git self hosted tool: Gogs.

CVE-2018-18925 Exploitation of CVE-2018-18925 a Remote Code Execution against the Git self hosted tool: Gogs. Gogs is based on the Macaron framework.

Jakom 7 Feb 2, 2022
Gbu-scanner - Go Blog Updates (Scanner service)

Go Blog Updates - Scanner This service scans go blog (go.dev) and publishes new posts to message broker (rabbitmq). It uses mongodb as a storage for a

null 1 Jan 10, 2022
GONET-Scanner - Golang network scanner with arp discovery and own parser

GO/NET Scanner ScreenShots Install chmod +x install.sh ./install.sh [as root] U

Luis Javier 59 Jul 24, 2022
Automatic Linux privesc via exploitation of low-hanging fruit

Traitor Automatically exploit low-hanging fruit to pop a root shell. Linux privilege escalation made easy! Traitor packages up a bunch of methods to e

Liam Galvin 5.3k Aug 12, 2022
crowdsec 5.4k Aug 9, 2022
A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.

PewSWITCH A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157. Related blog: https://0xinfection.github.io/p

Pinaki 23 Jun 23, 2022
Signing prototype

sigstore signing CLI tool ⚠️ Not ready for use yet! sigstore CLI is a generic tool to sign blobs, tarballs etc and establish a trust root using the si

sigstore 298 Aug 10, 2022
IIS shortname scanner written in Go

sns IIS shortname scanner written in Go Installation Make sure you've a recent version of the Go compiler installed on your system. Then just run: GO1

null 127 Aug 9, 2022
The fastest dork scanner written in Go.

go-dork The fastest dork scanner written in Go. There are also various search engines supported by go-dork, including Google, Shodan, Bing, Duck, Yaho

dw1 651 Aug 8, 2022
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple to

ProjectDiscovery 2.4k Aug 16, 2022
The fastest dork scanner written in Go.

go-dork The fastest dork scanner written in Go. There are also various search engines supported by go-dork, including Google, Shodan, Bing, Duck, Yaho

Mansz 0 Jan 28, 2022
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

Vuls: VULnerability Scanner Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go. We have a slack team. Join slack team Twitter: @vuls_e

Future Corp 9.4k Aug 6, 2022
simple webshell scanner

shellboy ShellBoy is a useful web shell finder. It simply knows the signatures of active or inactive webshells on the market and looks for these signa

Oğuzhan YILMAZ 36 Feb 10, 2022
MX1014 is a flexible, lightweight and fast port scanner.

MX1014 MX1014 是一个遵循 “短平快” 原则的灵活、轻便和快速端口扫描器 此工具仅限于安全研究和教学,用户承担因使用此工具而导致的所有法律和相关责任! 作者不承担任何法律和相关责任! Version 1.1.1 - 版本修改日志 Features 兼容 nmap 的端口和目标语法 支持各

L 89 Aug 4, 2022
null 988 Aug 8, 2022
Another JS scanner but in Go

NipeJS Read list of JS files and look for sensitive data via regex. ☕ Install go get github.com/i5nipe/nipejs ☕ Regular expressions Download the file

iSnipe 16 Jun 6, 2022