pphack : The Advanced Client-Side Prototype Pollution Scanner

The cutting-edge Client-Side Prototype Pollution Scanner. In this article, we’ll delve into the installation process, usage, and features of pphack, a powerful tool for web security professionals and red teamers.

Discover how pphack can help you identify and mitigate prototype pollution vulnerabilities in web applications.

The Most Advanced Client-Side Prototype Pollution Scanner

Install

Using Go

go install github.com/edoardottt/pphack/cmd/pphack@latest

pphack relies on chromedp, so you need a Chrome or Chromium browser.

Get Started

Usage:
  pphack [flags]

Flags:
INPUT:
   -u, -url string   Input URL
   -l, -list string  File containing input URLs

CONFIGURATION:
   -c, -concurrency int     Concurrency level (default 50)
   -t, -timeout int         Connection timeout in seconds (default 10)
   -px, -proxy string       Set a proxy server (URL)
   -rl, -rate-limit int     Set a rate limit (per second)
   -ua, -user-agent string  Set a custom User Agent (random by default)

SCAN:
   -p, -payload string            Custom payload
   -js, -javascript string        Run custom Javascript on target
   -jsf, -javascript-file string  File containing custom Javascript to run on target

OUTPUT:
   -o, -output string  File to write output results
   -v, -verbose        Verbose output
   -s, -silent         Silent output. Print only results

Examples

Scan a single URL

pphack -u https://edoardottt.github.io/pp-test/

echo https://edoardottt.github.io/pp-test/ | pphack

Scan a list of URLs

pphack -l targets.txt

cat targets.txt | pphack

Read the Wiki to understand how to use pphack.

Changelog

Detailed changes for each release are documented in the release notes.

Contributing

Just open an issue / pull request.

Before opening a pull request, download golangci-lint and run

golangci-lint run