The cutting-edge Client-Side Prototype Pollution Scanner. In this article, we’ll delve into the installation process, usage, and features of pphack, a powerful tool for web security professionals and red teamers.

Discover how pphack can help you identify and mitigate prototype pollution vulnerabilities in web applications.

The Most Advanced Client-Side Prototype Pollution Scanner


Using Go

go install

pphack relies on chromedp, so you need a Chrome or Chromium browser.

Get Started

  pphack [flags]

   -u, -url string   Input URL
   -l, -list string  File containing input URLs

   -c, -concurrency int     Concurrency level (default 50)
   -t, -timeout int         Connection timeout in seconds (default 10)
   -px, -proxy string       Set a proxy server (URL)
   -rl, -rate-limit int     Set a rate limit (per second)
   -ua, -user-agent string  Set a custom User Agent (random by default)

   -p, -payload string            Custom payload
   -js, -javascript string        Run custom Javascript on target
   -jsf, -javascript-file string  File containing custom Javascript to run on target

   -o, -output string  File to write output results
   -v, -verbose        Verbose output
   -s, -silent         Silent output. Print only results


Scan a single URL

pphack -u
echo | pphack

Scan a list of URLs

pphack -l targets.txt
cat targets.txt | pphack

Read the Wiki to understand how to use pphack.


Detailed changes for each release are documented in the release notes.


Just open an issue / pull request.

Before opening a pull request, download golangci-lint and run

golangci-lint run

Published by Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Leave a comment

Your email address will not be published. Required fields are marked *