JSPanda : Client-Side Prototype Pollution Vulnerability Scanner

JSpanda is client-side prototype pollution vulnerability scanner. It has two key features, scanning vulnerability the supplied URLs and analyzing the JavaScript libraries’ source code.

However, JSpanda cannot detect advanced prototype pollution vulnerabilities.

How JSPanda works?

Uses multiple payloads for prototype pollution vulnerability.
Gathers all the links in the targets for scanning and add payloads to JSpanda-obtained URLs, navigates to each URL with headless Chromedriver.
Scans all words in the source code of potentially vulnerable JavaScript library and it creates a simple JS PoC by finding the script gadget, helping you analyze the code manually.

Requirements

Download latest version of Google Chrome and Chromedriver
Selenium

Usage

Scan: python3.7 jspanda.py

Add URLs to url.txt file, for instance : example.com

Basic Source Code Analysis : python3.7 analyze.py

Add a JavaScript library’s source code to analyze.js
Generate PoC code using analyze.py
Execute PoC code on Chrome’s console. It pollutes all the words collected from the source code and show it on the screen. So it may generate false positive results. These outputs provide additional information to researchers, do not automate everything.

Source code analysis – Screenshot

Related

Plution : Prototype Pollution Scanner Using Headless Chrome

September 27, 2021

In "Kali Linux"

pphack : The Advanced Client-Side Prototype Pollution Scanner

February 5, 2024

In "Cyber security"

Ppmap : A Scanner/Exploitation Tool Written In GO, Which Leverages Prototype Pollution To XSS By Exploiting Known Gadgets

July 28, 2021

In "Kali Linux"

R K

Next AutomatedLab : A Provisioning Solution And Framework That Lets You Deploy Complex Labs On HyperV And Azure With Simple PowerShell Scripts »

Previous « Databases Worldwide are Full of Security Holes

Leave a Comment

Share

Published by

R K

Tags: Client-SideJSPandaPrototypePullution Vulnerability Scanner

4 years ago

Recent Posts

Cyber security

How AI Puts Data Security at Risk

Artificial Intelligence (AI) is changing how industries operate, automating processes, and driving new innovations. However,…

21 hours ago

TECH

The Evolution of Cloud Technology: Where We Started and Where We’re Headed

Image credit:pexels.com If you think back to the early days of personal computing, you probably…

5 days ago

TECH

The Evolution of Online Finance Tools In a Tech-Driven World

In an era defined by technological innovation, the way people handle and understand money has…

5 days ago

OSINT

A Complete Guide to Lenso.ai and Its Reverse Image Search Capabilities

The online world becomes more visually driven with every passing year. Images spread across websites,…

6 days ago

Cyber security

How Web Application Firewalls (WAFs) Work

General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…

1 month ago

Linux

How to Send POST Requests Using curl in Linux

How to Send POST Requests Using curl in Linux If you work with APIs, servers,…

1 month ago

L