Proto Find Save

Let's check if your target is vulnerable for client side prototype pollution.

Project README

proto-find

proto-find is a tool for researchers that lets you find client side prototype pollution vulnerability.

How it works

proto-find open URL in Chrome using headless mode using chromedp.

All you need is installed Chrome browser.

You have to provide JavaScript code in -js parameter which will be run in context of URL.

For the provided payload list (payloads.txt) the JavaScript code should be: window.elo

proto-find will process the URL in following way:

if URL is http://example.com/ the tool add payloads after "/", e.g. http://example.com/?__proto__[elo]=melo
if URL has some parameters, e.g. http://example.com/?name=test&work=hard&coffee=yes the tool will inject the payload into each parameter, but one by one leaving the original values. See which requests will be executed:

Installation

proto-find is written with Go and can be installed with go get:

▶ go get github.com/kosmosec/proto-find

Or you can clone the respository and build it manually:

▶ git clone https://github.com/kosmosec/proto-find.git
▶ cd proto-find
▶ go install

Options

You can get the proto-find help output by running proto-find -help:

▶ proto-find -help
Usage of proto-find:
  -c int
    	set concurrency (default 5)
  -cookie string
    	set cookies, ex. -cookie "session=hacker"
  -h string
    	file with custom headers
  -js string
    	JS script which check if prototype pollution exists
  -p string
    	file with client side prototype pollution payloads
  -proxy string
    	set proxy for requests, -proxy "http://<IP>:<PORT>"
  -rate int
    	max rate for requests
  -u string
    	file with URLs to scan
  -v	version

Usage

The concurrency (-c) 5 is the best for performance on regular computers.

Simple case

Run

proto-find -u ./urls -p ./payloads.txt -js window.elo

Run

cat urls | proto-find -p ./payloads.txt -js window.elo

Output

Vulnerable target http://<TARGET>/?name=test&work=hard&coffee=yes&__proto__[elo]={"json":"value"}
Vulnerable target http://<TARGET>/?name=test&work=hard&coffee=yes&__proto__[elo]=melo
Vulnerable target http://<TARGET>/?name=test&work=hard&coffee=yes&constructor[prototype][elo]=melo

With cookies and proxy

Run

proto-find -u ./urls -p ./payloads.txt -js window.elo -cookie "JSESSIONID=test;hello=world" -proxy "http://IP:PORT" -c 5

With custom headers

Copy headers from Burp Suite and paste to the file, e.x.

X-Org: test
Auth: custom

Run

proto-find -u ./urls -p ./payloads.txt -h ./headers -js window.elo -cookie "JSESSIONID=test;hello=world"  -proxy "http://IP:PORT" -c 5

Credits

Open Source Agenda is not affiliated with "Proto Find" Project. README Source: kosmosec/proto-find

Stars

Open Issues

Last Commit

3 months ago

Repository

kosmosec/proto-find

License

MIT

Open Source Agenda Badge

<a href="https://www.opensourceagenda.com/projects/proto-find"><img src="https://www.opensourceagenda.com/projects/proto-find/reviews/badge.svg" alt="Open Source Agenda"></a>

Submit Review Review Your Favorite Project

Submit Resource Articles, Courses, Videos

Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022