Are you concerned about prototype pollution vulnerabilities in your JavaScript code? Look no further! PPFang is here to help you identify and eliminate prototype polluting libraries.
My project was influenced by Huli's (@aszx87410) work on cdnjs-prototype-pollution. After exploring his approach, I was motivated to develop my own project, taking a different path.
PPFang is a powerful tool designed to detect and mitigate prototype pollution vulnerabilities in your client-side JavaScript code. With PPFang, you can ensure the security and reliability of your applications by identifying and eliminating potential risks.
🔍 Verify the latest libraries from cdnjs.com
📜 Check a list of URLs for client-side prototype polluting functions
🚀 Easy installation and usage
Before getting started with PPFang, make sure you have the following prerequisites installed on your Ubuntu/Debian system:
- libnss3
- libxss1
- libasound2
- libatk-bridge2.0-0
- libgtk-3-0
- libgbm-dev
To install PPFang, simply run the following command:
In case you get the following message on Ubuntu/Debian:
/.cache/puppeteer/chrome/linux-1108766/chrome-linux/chrome: error while loading shared libraries: libatk-1.0.so.0: cannot open shared object file: No such file or directory
You might need to install the following packages:
sudo apt-get install libnss3 libxss1 libasound2 libatk-bridge2.0-0 libgtk-3-0 libgbm-devnpm install -g ppfangOr, if you prefer to install it from as an npm package from this repo directly.
npm install -g .Or, if you want to simply run it.
node index.jsor with arguments
node index.js -- [arguments go here]Usage: ppfang [command] [option]
A tool which helps identifying client-side prototype polluting libraries
Options:
-h, --help display help for command
Commands:
cdnjs [options] Verifies the latest libraries from cdnjs.com
pipe [options] Checks a list of urls provided through stdin for client-side prototype polluting functions
help [command] display help for command
Examples:
ppfang cdnjs
ppfang cdnjs -c 50
cat urls.txt | ppfang pipe -c 10
echo "https://somesite.com/" | ppfang pipe
gau --blacklist png,jpg,gif,txt,json,js some-random-domain.com | ppfang pipe -c 50
ppfang --help || ppfang
Happy hunting!
PPFang will output a list of potential prototype pollution vulnerabilities. For example, you might see a result like String.prototype.$initialize. This means that the $initialize function is potentially polluting the String prototype.
You can test the potential impact of this pollution by executing a function in the context of this prototype. For instance, you can execute an alert() function like this:
String.prototype.$initialize.call(alert(document.domain))For more special cases, such as getting results where the function names have names like: String.prototype.$<=>, String.prototype.$==, String.prototype.$eql? and so on. You can do it like this:
String.prototype['$<=>'].call(alert(document.domain))In this example, document.domain is passed to the alert() function. If the prototype pollution vulnerability is exploitable, this will display an alert box with the current document's domain.
Once you've identified potential vulnerabilities, take the steps to mitigate them. This might involve refactoring your code or removing the offending library.
Remember, the goal of PPFang is to help you identify these potential vulnerabilities so you can take steps to mitigate them. Always ensure to validate the findings and take appropriate action to secure your code.