From a5315ef6248bd50e108ee286aefc1dbbc379019e Mon Sep 17 00:00:00 2001 From: zethash <91867430+zethash@users.noreply.github.com> Date: Sun, 7 Nov 2021 12:18:15 +0300 Subject: [PATCH 1/5] chore: Remove blank options page and script --- pages/options.html | 8 -------- scripts/options.js | 0 2 files changed, 8 deletions(-) delete mode 100644 pages/options.html delete mode 100644 scripts/options.js diff --git a/pages/options.html b/pages/options.html deleted file mode 100644 index 4ae1c0d..0000000 --- a/pages/options.html +++ /dev/null @@ -1,8 +0,0 @@ - - - - - - - - diff --git a/scripts/options.js b/scripts/options.js deleted file mode 100644 index e69de29..0000000 From bc5ac95880b82c5e650fc18dda1e3a3491471288 Mon Sep 17 00:00:00 2001 From: zethash <91867430+zethash@users.noreply.github.com> Date: Sun, 7 Nov 2021 12:19:53 +0300 Subject: [PATCH 2/5] feat: Set unicode meta-tag for all html pages --- pages/background.html | 2 +- pages/iframe.html | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pages/background.html b/pages/background.html index 5911f86..09dae34 100644 --- a/pages/background.html +++ b/pages/background.html @@ -1,7 +1,7 @@ - + diff --git a/pages/iframe.html b/pages/iframe.html index 5470bad..ed48221 100644 --- a/pages/iframe.html +++ b/pages/iframe.html @@ -3,6 +3,7 @@ PP + From c61942a81199627876185b8a00ce895c8e4d2ebf Mon Sep 17 00:00:00 2001 From: zethash <91867430+zethash@users.noreply.github.com> Date: Sun, 7 Nov 2021 12:22:09 +0300 Subject: [PATCH 3/5] feat: Remove chrome specific methods, others adaptate --- manifest.json | 7 ++++++- scripts/background.js | 7 +++++-- scripts/content_script.js | 2 ++ scripts/exp.js | 2 ++ scripts/popup.js | 4 +++- scripts/utils.js | 9 +++++---- 6 files changed, 23 insertions(+), 8 deletions(-) diff --git a/manifest.json b/manifest.json index 562a712..f964651 100644 --- a/manifest.json +++ b/manifest.json @@ -3,7 +3,6 @@ "version": "1.0", "manifest_version": 2, "description": "Client Side Prototype Pollution Scanner", - "options_page": "pages/options.html", "permissions": [ "tabs", "storage", @@ -31,5 +30,11 @@ ], "browser_action": { "default_popup": "pages/popup.html" + }, + "applications": { + "gecko": { + "id": "PPScan@msrkp", + "strict_min_version": "57.0" + } } } \ No newline at end of file diff --git a/scripts/background.js b/scripts/background.js index a31f52f..0a63c3c 100644 --- a/scripts/background.js +++ b/scripts/background.js @@ -1,3 +1,5 @@ +var chrome = browser; + const databaseUrl = chrome.extension.getURL('/database.csv'); /* initialize */ @@ -7,11 +9,12 @@ setBadgeCount(0); /* setup listeners */ chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => { - found.add(msg); + sourceUrl = new URL(msg); + found.add(JSON.stringify({ domain: sourceUrl.origin, type: 'Active Mode', file: sourceUrl.href, lineCol: 0 })); setBadgeCount(found.size); }); -chrome.extension.onConnect.addListener((port) => { +chrome.runtime.onConnect.addListener((port) => { console.log('[>] New Session ', port); if (port.name == "logger") { port.onMessage.addListener((msg) => { diff --git a/scripts/content_script.js b/scripts/content_script.js index 23b29d2..d0d6ebc 100644 --- a/scripts/content_script.js +++ b/scripts/content_script.js @@ -1,3 +1,5 @@ +var chrome = browser; + document.addEventListener('TriggerBrute', () => { var iframe = document.createElement('iframe'); iframe.addEventListener('load', () => { diff --git a/scripts/exp.js b/scripts/exp.js index 354444c..12965bf 100644 --- a/scripts/exp.js +++ b/scripts/exp.js @@ -1,3 +1,5 @@ +var chrome = browser; + var PAYLOADS = [ // ['XSS Prototype #1', 'x[__proto__][e32a5ec9c99]', 'ddcb362f1d60', ], // ['XSS Prototype #2', 'x.__proto__.e32a5ec9c99','ddcb362f1d60', ], diff --git a/scripts/popup.js b/scripts/popup.js index b5dd5c0..0724150 100644 --- a/scripts/popup.js +++ b/scripts/popup.js @@ -1,4 +1,6 @@ -var port = chrome.extension.connect({ +var chrome = browser; + +var port = chrome.runtime.connect({ name: "logger" }); diff --git a/scripts/utils.js b/scripts/utils.js index afedb98..4d2cb59 100644 --- a/scripts/utils.js +++ b/scripts/utils.js @@ -1,3 +1,5 @@ +var chrome = browser; + const DEBUG = false; const blacklist = [ @@ -107,8 +109,7 @@ const check = ({ requestUri, initiator }) => { if (blacklist.indexOf(requestUri + ':' + lineCol) != -1) { return; } - - found.add(JSON.stringify({ domain: initiator, type: name, file: requestUri, lineCol })) + found.add(JSON.stringify({ domain: new URL(initiator).origin, type: name, file: requestUri, lineCol })) setBadgeCount(found.size); }); }) @@ -120,9 +121,9 @@ const filter = { types: ["script"] }; -const scan = ({ method, url, initiator }) => { +const scan = (request) => { // if (method == "GET") { - check({ requestUri: url, initiator }); + check({ requestUri: request.url, initiator: request.originUrl }); // } }; From 9edc2fd6aebf2a02de0abbd55a48217991be7b47 Mon Sep 17 00:00:00 2001 From: zethash <91867430+zethash@users.noreply.github.com> Date: Sun, 7 Nov 2021 12:36:54 +0300 Subject: [PATCH 4/5] docs: Manual for temporary install or build --- README.md | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 1567992..1ad7cb7 100644 --- a/README.md +++ b/README.md @@ -12,23 +12,19 @@ Client Side Protype pollution Scanner ### How to use? -
    -
  1. Clone the repo
  2. -
  3. Install addon - - * In chrome, - * Go to More Tools -> Extenstions - * Enable Developer Mode - * Click on "Load unpacked" and select the cloned repo folder. - -
  4. -
  5. Visit the websites you want to test
  6. -
- +* Clone the repo +* Temporaty install + * In Firefox, go to `about:debugging#/runtime/this-firefox` + * Click on "Load temporaty add-on" and select `manifest.json` from the cloned repo folder. +* Persistent install + * Build `npm install --global web-ext` & `web-ext build` or `npx web-ext build` + * After executing commands, an extension file should appear in ./web-ext-artifacts/ppscan-{Version number}.zip + * To install an extension from a file, switch `xpinstall.signatures.required parameter` to `false` in Firefox on `about:config` page. + * Click "Install add-on from file" on `about:addons` page and select ppscan-{Version number}.zip +* Visit the websites you want to test It only checks for vulnerable location parsers. - ### Examples 1. https://msrkp.github.io/pp/1.html 2. https://msrkp.github.io/pp/2.html From 32f43b58aedc1ff060b3d21ec010ccc666ea2dd6 Mon Sep 17 00:00:00 2001 From: zethash <91867430+zethash@users.noreply.github.com> Date: Sun, 7 Nov 2021 12:37:28 +0300 Subject: [PATCH 5/5] chore: Ignore folder with builded ext zips --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index e43b0f9..4e463ed 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .DS_Store +web-ext-artifacts/* \ No newline at end of file