<a href="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/s1099/jspanda_3_pollute.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="844" data-original-width="1099" height="492" src="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/w640-h492/jspanda_3_pollute.png" width="640" /></a> JSpanda is client-side prototype pollution <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="vulnerability">vulnerability</a> scanner. It has two key features, scanning vulnerability the supplied URLs and analyzing the JavaScript libraries' source code. However, JSpanda cannot detect advanced prototype pollution vulnerabilities.<a name='more'></a><div> </div>How JSPanda works? <ul> <li>Uses multiple payloads for prototype pollution vulnerability.</li> <li>Gathers all the links in the targets for scanning and add payloads to JSpanda-obtained URLs, navigates to each URL with headless Chromedriver.</li> <li>Scans all words in the source code of potentially vulnerable JavaScript library and it creates a simple JS PoC by finding the script gadget, helping you analyze the code manually.</li> </ul> Requirements <ul> <li>Download latest version of Google Chrome and Chromedriver</li> <li>Selenium</li> </ul> Usage Scan: python3.7 jspanda.py <ul> <li>Add URLs to url.txt file, for instance : example.com</li> </ul> Basic <a href="https://www.kitploit.com/search/label/Source%20Code%20Analysis" target="_blank" title="Source Code Analysis">Source Code Analysis</a> : python3.7 analyze.py <ul> <li>Add a JavaScript library's source code to analyze.js</li> <li>Generate PoC code using analyze.py</li> <li>Execute PoC code on Chrome's console. It pollutes all the words collected from the source code and show it on the screen. So it may generate false positive results. These outputs provide additional information to researchers, do not automate everything.</li> </ul> Demonstration <a href="https://asciinema.org/a/BOazgAVyW6yHqhUE3fEYcCiML" rel="nofollow" target="_blank" title="client-side prototype pullution vulnerability scanner (4)"><img alt="client-side prototype pullution vulnerability scanner (2)" data-canonical-src="https://asciinema.org/a/BOazgAVyW6yHqhUE3fEYcCiML.svg" src="https://camo.githubusercontent.com/b6c5d8b24c254dcdea70d25100ce01491c28c93b9d373a2a270606ed3b38da67/68747470733a2f2f61736369696e656d612e6f72672f612f424f617a674156795736794871685545336645596343694d4c2e737667" style="max-width: 100%;" /></a> Source <a href="https://www.kitploit.com/search/label/Code%20Analysis" target="_blank" title="code analysis">code analysis</a> - Screenshot <div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/s1099/jspanda_3_pollute.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="844" data-original-width="1099" height="492" src="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/w640-h492/jspanda_3_pollute.png" width="640" /></a></div> Supporting Materials : <a href="https://twitter.com/har1sec/status/1314469278322655233" rel="nofollow" target="_blank" title="https://twitter.com/har1sec/status/1314469278322655233">https://twitter.com/har1sec/status/1314469278322655233</a> <a href="https://github.com/BlackFan/client-side-prototype-pollution" rel="nofollow" target="_blank" title="https://github.com/BlackFan/client-side-prototype-pollution">https://github.com/BlackFan/client-side-prototype-pollution</a> <a href="https://github.com/ThePacketBender/notes/blob/01c0b834f6e3ee4d934b087b2d92c9e484dc2a50/web/prototype_pollution.txt" rel="nofollow" target="_blank" title="https://github.com/ThePacketBender/notes/blob/01c0b834f6e3ee4d934b087b2d92c9e484dc2a50/web/prototype_pollution.txt">https://github.com/ThePacketBender/notes/blob/01c0b834f6e3ee4d934b087b2d92c9e484dc2a50/web/prototype_pollution.txt</a> <a href="https://habr.com/ru/company/huawei/blog/547178/" rel="nofollow" target="_blank" title="https://habr.com/ru/company/huawei/blog/547178/">https://habr.com/ru/company/huawei/blog/547178/</a> <a href="https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2" rel="nofollow" target="_blank" title="https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2">https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2</a> <a href="https://github.com/securitum/research/tree/master/r2020_prototype-pollution" rel="nofollow" target="_blank" title="https://github.com/securitum/research/tree/master/r2020_prototype-pollution">https://github.com/securitum/research/tree/master/r2020_prototype-pollution</a> <a href="https://attacker-codeninja.github.io/2021-07-05-Learn-Prototype-Pollution-Part-2/" rel="nofollow" target="_blank" title="Learn">Learn </a><a href="https://www.kitploit.com/search/label/Prototype%20Pollution" target="_blank" title="Prototype Pollution">Prototype Pollution</a> in Series - Part 2 <a href="https://github.com/dwisiswant0/ppfuzz" rel="nofollow" target="_blank" title="dwisiswant0/ppfuzz">dwisiswant0/ppfuzz</a> <a href="https://github.com/raverrr/plution" rel="nofollow" target="_blank" title="GitHub - raverrr/plution: Prototype pollution scanner using headless chrome">GitHub - raverrr/plution: Prototype pollution scanner using headless chrome</a> <a href="https://medium.com/intrinsic-blog/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96" rel="nofollow" target="_blank" title="JavaScript Prototype Poisoning Vulnerabilities in the Wild">JavaScript Prototype Poisoning Vulnerabilities in the Wild</a> <a href="https://www.whitesourcesoftware.com/resources/blog/prototype-pollution-vulnerabilities/" rel="nofollow" target="_blank" title="The Complete Guide to Prototype Pollution Vulnerabilities">The Complete Guide to Prototype Pollution Vulnerabilities</a> <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/RedSection/jspanda" rel="nofollow" target="_blank" title="Download Jspanda">Download Jspanda</a></div>

JSPanda - Client-Side Prototype Pullution Vulnerability Scanner

Dave McDaniel of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. Cisco Talos recently discovered an exploitable information disclosure vulnerability in the D-LINK DIR-3040 smart WiFi mesh router that could allow an adversary to eventually turn off the device or remove other...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Tag

#vulnerabilities