Match rules that passively detect vulnerable libraries even in minified JS code.
Rules: match_rules/match-rules.tab
Extension: Software Version Reporter
JS script that highlights custom fields in prototypes and constructors that can be useful in exploiting Prototype Pollution.
Script: prototype_checker/prototype_checker.js
Script Gadget Example: script.aculo.us XSS Script Gadget
pollute.js is a script that highlights access to uninitialized properties using code instrumentation. By adding a small script to it, you can replace all Burp Proxy HTTP responses with modified code.
- Install pollute.js dependencies
- Setup webserver to run pollute.js using pollute.php (or write your own wrapper)
- Customize your link in POLLUTE_JS
- Build Burp Suite extension
Now you can setup logging conditions in pollute.js PREAMBLE. For example, to search for DOM Clobbering gadgets, replace
obj instanceof Object
with
(obj instanceof Window || obj instanceof Document)
If you want to log access to properties only after Prototype Pollution has already triggered, add the condition
typeof Object.prototype[1337] != 'undefined'
and call the page with
?__proto__[1337]=xxx
