Closed bnematzadeh closed 2 years ago
kleiton0x00
commented
2 years ago I'm sorry, but I didn't quite understand the Case-1&2. Ppmap uses only window.ppmap to identify the pollution.
Can you please provide more information and an example if possible as I'm not able to reproduce the issue?
bnematzadeh
commented
2 years ago Yeah, sure! ppmap workflow is as follows:
For detecting the pollution, ppmap sends the following payloads as "query string" first. Then it checks the window.ppmap to verify the pollution:
payloads := [4]string{ "constructor%5Bprototype%5D%5Bppmap%5D=reserved", "__proto__.ppmap=reserved", "constructor.prototype.ppmap=reserved", "__proto__%5Bppmap%5D=reserved", }
The problem here is not the window.ppmap. It's about sending the above payloads as query strings:
?constructor%5Bprototype%5D%5Bppmap%5D=reserved
This only works for pages which include the "location.search" to read the payloads. If you change the source to "location.hash", the detection phase will fail. To reproduce this issue, you can use the following example:
ppmap works fine here because this page uses the location.search:
var query = deparam(location.search.slice(1));
But if you change the source to var query = deparam(location.hash.substr(1));, the ppmap won't detect the pollution because the page only accepts the hash value parameters from the client and this tool only sends the payloads as query strings.
kleiton0x00
commented
2 years ago Can you please confirm if v1.2.0 fixes this issue?
bnematzadeh
commented
2 years ago Looks good to me! It's fixed
kleiton0x00
commented
2 years ago Thank you for your feedback!
Hi,
Some web pages may use the "location.hash" to read the hash value. It's better to check this source along with the "location.search". The following code uses a vulnerable gadget (jquery deparam) to read the hash value.
Payload for this gadget: ?__proto__[onload]=alert(1)Case-1: location.search -> ppmap detects the pollution and generates the above payloadCase-2: location.hash -> ppmap does not detect the pollution