Hunting for Prototype Pollution and it’s vulnerable code on JS libraries

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

It’s been months since I have released ppmap and it didn’t take much for the tool to be popular because of how crazy and trending Prototype Pollution vulnerability actually is.

On this article I’m not going to introduce you what Prototype Pollution is, since there are a lot of articles/videos out there which explain it better than me. This article is a work of several weeks of research on this topic, to bring you new and innovative ideas (well not all of them) on how to scan massively on Javascript Packages (npm packages as well) and how to manual debug (for much complex Javascript code) to find the root cause of client-side Prototype Pollution.

Searching for client-side Prototype Pollution

Well for this type of hunting we are going to use Chrome/Chromium, since they have the Developer Tools which is for sure more compatible for debugging.

The exploitation starts by first finding is the website is vulnerable to client-side prototype pollution or not. We are going to use ppmap which will

Read the article