Client-Side Prototype Pollution Tools

Match rules for Burp Software Version Reporter extension

Match rules that passively detect vulnerable libraries even in minified JS code.

Rules: match_rules/match-rules.tab
Extension: Software Version Reporter

Prototype Checker

JS script that highlights custom fields in prototypes and constructors that can be useful in exploiting Prototype Pollution.

Script: prototype_checker/prototype_checker.js
Script Gadget Example: script.aculo.us XSS Script Gadget

Burp pollute.js

pollute.js is a script that highlights access to uninitialized properties using code instrumentation. By adding a small script to it, you can replace all Burp Proxy HTTP responses with modified code.

Install

• Install pollute.js dependencies
• Setup webserver to run pollute.js using pollute.php (or write your own wrapper)
• Customize your link in POLLUTE_JS
• Build Burp Suite extension

Now you can setup logging conditions in pollute.js PREAMBLE. For example, to search for DOM Clobbering gadgets, replace

obj instanceof Object

with

(obj instanceof Window || obj instanceof Document)

If you want to log access to properties only after Prototype Pollution has already triggered, add the condition

typeof Object.prototype[1337] != 'undefined'

and call the page with

?__proto__[1337]=xxx