Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kleiton0x00/ppmap

A scanner/exploitation tool written in GO, which leverages client-side Prototype Pollution to XSS by exploiting known gadgets.
https://github.com/kleiton0x00/ppmap

bug-bounty bugbounty bugbounty-tool cybersecurity infosec prototype-pollution xss xss-detection xss-exploitation xss-vulnerability

Last synced: 19 days ago
JSON representation

A scanner/exploitation tool written in GO, which leverages client-side Prototype Pollution to XSS by exploiting known gadgets.

Awesome Lists containing this project

README

        

# ppmap ![markdown_statistic](https://img.shields.io/github/downloads/kleiton0x00/ppmap/total)
A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the global context) to perform XSS via Prototype Pollution. NOTE: The program only exploits known gadgets, but does not cover code analysis or any advanced Prototype Pollution exploitation, which may include custom gadgets.

## Requirements
Make sure to have Chromium installed. No need to worry, **setup.sh** will automatically install that for you.

## Installation
- Run the following command to clone the repo:
```bash
git clone https://github.com/kleiton0x00/ppmap.git
```
- Change the directory to ppmap and execute **setup.sh**:
```bash
cd ppmap/ && bash setup.sh
```
That's it. Enjoy using ppmap!

- Note: If you face error during manually compiling or during the setup (for some reasons), you can download the precompiled one:
- Download the already compiled binary [here](https://github.com/kleiton0x00/ppmap/releases)
- Give it the permission to execute ```chmod +x ppmap```

## Usage

Using the program is very simple, you can either:
- scan a directory/file (or even just the website itself):
```echo 'https://target.com' | ppmap```

- or endpoint:
```echo 'http://target.com/something/?page=home' | ppmap```

For mass scanning:
``` cat url.txt | ppmap``` where **url.txt** contains all url(s) in column.

## Demo
![](https://i.imgur.com/05nvfwX.gif)

Feel free to test the tool on the following websites as a part of demonstration and to also check if the software is working correctly:
https://msrkp.github.io/pp/2.html
https://ctf.nikitastupin.com/pp/known.html
https://grey-acoustics.surge.sh

## Workflow

- Identify if the website is vulnerable to Prototype Pollution by heuristic scan (via location.hash and location.search)
- Fingerprint the known gadgets (checks for specific variables in the global context)
- Display the final XSS payload which can be exploited

## Credits

Many thanks to @Tomnomnom for the inspiration: https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s
The workflow of this program is hugely based on this article: https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2
The fingerprint javascript file is based on this git: https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec

## In the news
- 14/06/21: [Intigriti Bug Bytes #131](https://blog.intigriti.com/2021/07/14/bug-bytes-131-credential-stuffing-in-bug-bounty-hijacking-shortlinks-hacker-shows/) - Tool of the week
- 26/06/21: [Hackin9](https://hakin9.org/ppmap-a-scanner-exploitation-tool/) - Article
- 23/09/21: [GeeksForGeeks](https://www.geeksforgeeks.org/ppmap-a-scanner-or-exploitation-tool-written-in-go/) - Article
- 22/10/21: [Hacktricks](https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution) - Client Side Prototype Pollution
- 04/06/22 [BlackArch Linux](https://github.com/BlackArch/blackarch-site/commit/68696c40be1629095cd547559ce078a4c77a7073) - Officially added in BlackArch Linux :tada: