SD Times Open-Source Project of the Week: page-fetch

by Joseph K. Clark

Page-fetch is a new open-source tool created by the Detectify Security Research team that helps hunt for prototype pollution issues. 

One of the most common places for prototype pollution — the ability to inject properties into existing JavaScript language construct prototypes — is processing the query string.

Detectify’s solution can already find issues that stem from product pollution when running the Deep Scan DAST scanner. Still, now pentesters, bug bounty hunters, and security researchers can also look for this vulnerability and other client-side issues using page-fetch. 

page-fetch

Page-fetch, written in Go, works by taking a list of URLs as its input and fetching them using a headless Chrome browser while storing a copy of every response that it saw, including JavaScript files, CSS files, images, API requests, etc.

RELATED CONTENT: JavaScript has come a long way and shows no sign of slowing

By having a copy of those resources, users can build custom word lists and use filters to exclude third-party requests, save only third-party requests, and include or exclude recommendations based on their content type. 

To look for prototype pollution, one needs to pick a payload to try in the query string of our input URL and then test to see if the value was set as expected. Then, the test code just checks to see if ‘window. testparam’ is equal to ‘testval’, and if it is: it returns the string ‘vulnerable’ and returns not vulnerable otherwise. Additional details on how it works are available here.

Related Posts

Leave a Comment