ppfuzz Prototype Pollution Fuzzer
ppfuzz Prototype Pollution Fuzzer

ppfuzz: Prototype Pollution Fuzzer

A fast tool to scan client-side prototype pollution vulnerability written in Rust. 

Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects. (By PortSwigger)

Installation

Binary

Simply, download a pre-built binary from releases page and run!

Source

NOTE

Rust should be installed!

Using cargo:

"
"
▶ cargo install ppfuzz

— or

Manual building executable from source code:

▶ git clone https://github.com/dwisiswant0/ppfuzz
▶ cd ppfuzz && cargo build --release
# binary file located at target/release/ppfuzz

Dependencies

ppfuzz uses chromiumoxide, which requires Chrome or Chromium browser to be installed. If the CHROME environment variable is set, then it’ll use it as the default executable. Otherwise, the filenames google-chrome-stablechromiumchromium-browserchrome and chrome-browser are searched for in standard places. If that fails, /Applications/Google Chrome.app/... (on MacOS) or the registry (on Windows) is consulted.

Demonstration

As you can see in the demo above, ppfuzz attempts to check for prototype-pollution vulnerabilities by adding an object & pointer queries, if it’s indeed vulnerable: it’ll fingerprinting the script gadgets used and then display additional payload info that could potentially escalate its impact to XSS, bypass or cookie injection.

Usage

It’s fairly simple to use ppfuzz!

▶ ppfuzz -l FILE [OPTIONS]

Basic

Use -l/--list to provide input list:

▶ ppfuzz -l FILE

You can also provide the list using I/O redirection:

▶ ppfuzz < FILE

— or chain it from another command output:

▶ cat FILE | ppfuzz

Only show vulnerable targets/suppress an errors:

"
"
▶ ppfuzz -l FILE 2>/dev/null

Options

Here are all the options it supports:

▶ ppfuzz -h
FlagDescriptionDefault value
-l, –listList of target URLs
-c, –concurrencySet the concurrency level5
-t, –timeoutMax. time allowed for connection (s)30
-h, –helpPrints help information
-V, –versionPrints version information
Dark Mode

ppfuzz (this link opens in a new window) by dwisiswant0 (this link opens in a new window)

A fast tool to scan client-side prototype pollution vulnerability written in Rust. 🦀