Page-fetch is a new open-source tool created by the Detectify Security Research team that helps hunt for prototype pollution issues.
One of the most common places for prototype pollution — the ability to inject properties into existing JavaScript language construct prototypes — is in processing the query string.
Detectify’s solution can already find issues that stem from product pollution when running the Deep Scan DAST scanner, but now pentesters, bug bounty hunters and security researchers can also look for this vulnerability as well as other client-side issues using page-fetch.
Page-fetch, which is written in Go, works by taking a list of URLs as its input and fetches them using a headless Chrome browser, all while storing a copy of every response that it saw including JavaScript files, CSS files, images, API requests, etc.
RELATED CONTENT: JavaScript has come a long way and shows no sign of slowing
By having a copy of those resources, users can build custom word lists and use filters to exclude third-party requests, save only third-party requests, and include or exclude requests based on their content-type.
To look for prototype pollution, one needs to pick a payload to try in the query string of our input URL, and then test to see if the value was set as expected. Then, the test code just checks to see if ‘window.testparam’ is equal to ‘testval’, and if it is: returns the string ‘vulnerable’, and returns not vulnerable otherwise.
Additional details on how it works are available here.