├── testurls.txt ├── .github └── FUNDING.yml ├── README.md └── main.go /testurls.txt: -------------------------------------------------------------------------------- 1 | http://tomnomnom.uk/pp/?page=home 2 | https://example.com 3 | https://prototype-pollution.tomnomnom.repl.co 4 | https://hackerone.com 5 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: ['https://www.buymeacoffee.com/kathanp19'] 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # protoscan 2 | * Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021 https://www.youtube.com/watch?v=Gv1nK6Wj8qM 3 | * I just made it for fun and added some extra features 4 | 5 | # Installation: 6 | 7 | `go get github.com/KathanP19/protoscan` 8 | 9 | # Usage: 10 | ``` 11 | 12 | _____ _ _____ 13 | | __ \ | | / ____| 14 | | |__) _ __ ___ | |_ ___| (___ ___ __ _ _ __ 15 | | ___| '__/ _ \| __/ _ \\___ \ / __/ _ | '_ \ 16 | | | | | | (_) | || (_) ____) | (_| (_| | | | | 17 | |_| |_| \___/ \__\___|_____/ \___\__,_|_| |_| 18 | 19 | -@KathanP19 20 | 21 | Usage of protoscan: 22 | -c int 23 | Set Concurrency (default 10) 24 | -o string 25 | Save Result to OutputFile 26 | -u Scan Urls 27 | ``` 28 | *Warning : Use concurrency according to you pc spec* 29 | * If you want to test then you can use the testurls.txt 30 | `cat testurls.txt | protoscan` 31 | 32 | * If you want to scan urls `For Example: http://example.com/?page=some` then use `-u` option. 33 | `cat testurls.txt | protoscan -u` 34 | 35 | # Payloads Used: 36 | * By Default it will append `?__proto__[protoscan]=protoscan` to the `https://example.com` so you can directly STDIN the output of Httpx or some other tool after you check that domain is live. 37 | ``` 38 | https://example.com/?__proto__[protoscan]=protoscan 39 | ``` 40 | * When `-u` is used it will append `&__proto__[protoscan]=protoscan` to the url 41 | ``` 42 | https://example.com/?page=some&__proto__[protoscan]=protoscan` 43 | ``` 44 | 45 | # More Info: 46 | If you want to learn prototype pollution then you can check this repo. 47 | - https://github.com/BlackFan/client-side-prototype-pollution 48 | 49 | # TODO: 50 | - [ ] Add more Payload Support. 51 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "context" 6 | "flag" 7 | "fmt" 8 | "log" 9 | "os" 10 | "sync" 11 | 12 | "github.com/chromedp/chromedp" 13 | ) 14 | 15 | var ( 16 | concurrency int 17 | urls bool 18 | outputFile string 19 | ) 20 | 21 | const ( 22 | //InfoColor = "\033[1;34m%s\033[0m" 23 | NoticeColor = "\033[1;36m%s\033[0m" 24 | //WarningColor = "\033[1;33m%s\033[0m" 25 | ErrorColor = "\033[1;31m%s\033[0m" 26 | //DebugColor = "\033[0;36m%s\033[0m" 27 | ) 28 | 29 | func banner() { 30 | fmt.Println(` 31 | _____ _ _____ 32 | | __ \ | | / ____| 33 | | |__) _ __ ___ | |_ ___| (___ ___ __ _ _ __ 34 | | ___| '__/ _ \| __/ _ \\___ \ / __/ _ | '_ \ 35 | | | | | | (_) | || (_) ____) | (_| (_| | | | | 36 | |_| |_| \___/ \__\___|_____/ \___\__,_|_| |_| 37 | 38 | -@KathanP19 39 | `) 40 | } 41 | 42 | func main() { 43 | banner() 44 | flag.IntVar(&concurrency, "c", 10, "Set Concurrency ") 45 | flag.BoolVar(&urls, "u", false, "Scan Urls ") 46 | flag.StringVar(&outputFile, "o", "", "Save Result to OutputFile") 47 | flag.Parse() 48 | 49 | if outputFile != "" { 50 | emptyFile, err := os.Create(outputFile) 51 | if err != nil { 52 | log.Fatal(err) 53 | } 54 | //log.Println(emptyFile) 55 | emptyFile.Close() 56 | var wg sync.WaitGroup 57 | for i := 0; i < concurrency; i++ { 58 | wg.Add(1) 59 | go func() { 60 | ProtoScan() 61 | wg.Done() 62 | }() 63 | wg.Wait() 64 | } 65 | 66 | } else { 67 | var wg sync.WaitGroup 68 | for i := 0; i < concurrency; i++ { 69 | wg.Add(1) 70 | go func() { 71 | ProtoScan() 72 | wg.Done() 73 | }() 74 | wg.Wait() 75 | } 76 | } 77 | } 78 | 79 | // ProtoScan scans 80 | func ProtoScan() { 81 | sc := bufio.NewScanner(os.Stdin) 82 | for sc.Scan() { 83 | // create context 84 | url := sc.Text() 85 | //fmt.Println(url) 86 | ctx, cancel := chromedp.NewContext(context.Background()) 87 | 88 | // run task list 89 | var res string 90 | if urls == true { 91 | err := chromedp.Run(ctx, 92 | chromedp.Navigate(url+"&__proto__[protoscan]=protoscan"), 93 | chromedp.Evaluate(`window.protoscan`, &res), 94 | ) 95 | cancel() 96 | if err != nil { 97 | log.Printf(ErrorColor, url+" [Not Vulnerable]") 98 | continue 99 | } 100 | } else { 101 | err := chromedp.Run(ctx, 102 | chromedp.Navigate(url+"/"+"?__proto__[protoscan]=protoscan"), 103 | chromedp.Evaluate(`window.protoscan`, &res), 104 | ) 105 | cancel() 106 | if err != nil { 107 | log.Printf(ErrorColor, url+" [Not Vulnerable]") 108 | continue 109 | } 110 | } 111 | if outputFile != "" { 112 | f, err := os.OpenFile(outputFile, os.O_APPEND|os.O_WRONLY, 0644) 113 | if err != nil { 114 | log.Println(err) 115 | } 116 | if _, err := f.WriteString(url + "\n"); err != nil { 117 | log.Fatal(err) 118 | } 119 | f.Close() 120 | } 121 | log.Printf(NoticeColor, url+" [Vulnerable]") 122 | } 123 | } 124 | --------------------------------------------------------------------------------