<a href="http://1.bp.blogspot.com/-Eph2jPyIEs4/YTVMaWNoJNI/AAAAAAAAt7w/2fS0PnouBd0kTzMlCj8esDtcSXJolnV1wCK4BGAYYCw/s1600/plution_1-714956.png"><img alt="" border="0" height="556" id="BLOGGER_PHOTO_ID_7004588810967721170" src="http://1.bp.blogspot.com/-Eph2jPyIEs4/YTVMaWNoJNI/AAAAAAAAt7w/2fS0PnouBd0kTzMlCj8esDtcSXJolnV1wCK4BGAYYCw/w640-h556/plution_1-714956.png" width="640" /></a> Plution is a convenient way to scan at scale for pages that are <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="vulnerable">vulnerable</a> to <a href="https://www.kitploit.com/search/label/Client%20Side" target="_blank" title="client side">client side</a> <a href="https://www.kitploit.com/search/label/Prototype%20Pollution" target="_blank" title="prototype pollution">prototype pollution</a> via a URL payload. In the default configuration, it will use a hardcoded payload that can detect 11 of the cases documented here: <a href="https://github.com/BlackFan/client-side-prototype-pollution/tree/master/pp" rel="nofollow" target="_blank" title="https://github.com/BlackFan/client-side-prototype-pollution/tree/master/pp">https://github.com/BlackFan/client-side-prototype-pollution/tree/master/pp</a><a name='more'></a><div> </div>What this is not This is not a one stop shop. Prototype pollution is a complicated beast. This tool does nothing you couldn't do manually. This is not a polished bug-free super tool. It is functional but poorly coded and to be considered alpha at best. How it works Plution appends a payload to supplied URLs, naviguates to each URL with <a href="https://www.kitploit.com/search/label/Headless%20Chrome" target="_blank" title="headless chrome">headless chrome</a> and runs javascript on the page to verify if a prototype was successfully polluted. how it is used <ul> <li> Basic scan, output only to screen: <code>cat URLs.txt | plution</code> </li> <li> Scan with a supplied payload rather than hardcoded one: <code>cat URLs.txt|plution -p '__proto__.zzzc=example'</code> Note on custom payloads: The variable you are hoping to inject must be called or render to "zzzc". This is because 'window.zzzc' will be run on each page to verify pollution. </li> <li> Output: <code>Passing '-o' followed by a location will output only URLs of pages that were successfully polluted.</code> </li> <li> Concurrency: </li> <li> <code>Pass the '-c' option to specify how many concurrent jobs are run (default is 5)</code> </li> </ul> questions and answers <ul> <li> How do I install it? <code>go get -u github.com/raverrr/plution</code> </li> <li> why specifically limit it to checking if window.zzzc is defined? <code>zzzc is a short pattern that is unlikely to already be in a prototype. If you want more freedom in regards to the javascript use https://github.com/detectify/page-fetch instead</code> </li> <li> Got a more specific question? <code>Ask me on twitter @divadbate.</code> </li> </ul> <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/raverrr/plution" rel="nofollow" target="_blank" title="Download Plution">Download Plution</a></div>

Tag

#Plution