This Week’s SD Times Open Source Project: page-fetch

Page-fetch is a new open source tool created by the Detectify Security Research team to help you find prototype contamination issues.

One of the most common places for prototype pollution is the ability to insert properties into prototypes of existing JavaScript language structures, processing query strings.

Detectify’s solution can already detect problems caused by product contamination when running Deep Scan DAST scanners, but pen testers, bug bounty hunters, and security researchers also use page fetch. You can look for this vulnerability and other client-side issues.

Page fetch written in goWorks by taking a list of URLs as input and retrieving them using a headless Chrome browser, and saves a copy of all responses, including JavaScript files, CSS files, images, API requests, and more.

Relevant content: JavaScript has come a long way and there are no signs of slowdown.

Having a copy of these resources allows users to create custom word lists, filter out third-party requests, store only third-party requests, and include requests based on content type. Or can be excluded.

To look for prototype contamination, you need to select the payload to try with the query string in the input URL and test whether the values ​​are set as expected. The test code then checks if’window.testparam’is equal to’testval’, returns the string’vulnerable’ otherwise, and returns no vulnerable.

Additional details are available on how it works Here..

This Week’s SD Times Open Source Project: page-fetch

Source link This Week’s SD Times Open Source Project: page-fetch

Related Articles

Back to top button