Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firefox port #16

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
.DS_Store
web-ext-artifacts/*
24 changes: 10 additions & 14 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,23 +12,19 @@ Client Side Protype pollution Scanner


### How to use?
<ol>
<li>Clone the repo</li>
<li>Install addon

* In chrome,
* Go to More Tools -> Extenstions
* Enable Developer Mode
* Click on "Load unpacked" and select the cloned repo folder.

</li>
<li>Visit the websites you want to test</li>
</ol>

* Clone the repo
* Temporaty install
* In Firefox, go to `about:debugging#/runtime/this-firefox`
* Click on "Load temporaty add-on" and select `manifest.json` from the cloned repo folder.
* Persistent install
* Build `npm install --global web-ext` & `web-ext build` or `npx web-ext build`
* After executing commands, an extension file should appear in ./web-ext-artifacts/ppscan-{Version number}.zip
* To install an extension from a file, switch `xpinstall.signatures.required parameter` to `false` in Firefox on `about:config` page.
* Click "Install add-on from file" on `about:addons` page and select ppscan-{Version number}.zip
* Visit the websites you want to test

It only checks for vulnerable location parsers.


### Examples
1. https://msrkp.github.io/pp/1.html
2. https://msrkp.github.io/pp/2.html
Expand Down
7 changes: 6 additions & 1 deletion manifest.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
"version": "1.0",
"manifest_version": 2,
"description": "Client Side Prototype Pollution Scanner",
"options_page": "pages/options.html",
"permissions": [
"tabs",
"storage",
Expand Down Expand Up @@ -31,5 +30,11 @@
],
"browser_action": {
"default_popup": "pages/popup.html"
},
"applications": {
"gecko": {
"id": "PPScan@msrkp",
"strict_min_version": "57.0"
}
}
}
2 changes: 1 addition & 1 deletion pages/background.html
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<html>

<head>

<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>

<body>
Expand Down
1 change: 1 addition & 0 deletions pages/iframe.html
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

<head>
<title>PP</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>

<body>
Expand Down
8 changes: 0 additions & 8 deletions pages/options.html

This file was deleted.

7 changes: 5 additions & 2 deletions scripts/background.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
var chrome = browser;

const databaseUrl = chrome.extension.getURL('/database.csv');

/* initialize */
Expand All @@ -7,11 +9,12 @@ setBadgeCount(0);

/* setup listeners */
chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => {
found.add(msg);
sourceUrl = new URL(msg);
found.add(JSON.stringify({ domain: sourceUrl.origin, type: 'Active Mode', file: sourceUrl.href, lineCol: 0 }));
setBadgeCount(found.size);
});

chrome.extension.onConnect.addListener((port) => {
chrome.runtime.onConnect.addListener((port) => {
console.log('[>] New Session ', port);
if (port.name == "logger") {
port.onMessage.addListener((msg) => {
Expand Down
2 changes: 2 additions & 0 deletions scripts/content_script.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
var chrome = browser;

document.addEventListener('TriggerBrute', () => {
var iframe = document.createElement('iframe');
iframe.addEventListener('load', () => {
Expand Down
2 changes: 2 additions & 0 deletions scripts/exp.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
var chrome = browser;

var PAYLOADS = [
// ['XSS Prototype #1', 'x[__proto__][e32a5ec9c99]', 'ddcb362f1d60', ],
// ['XSS Prototype #2', 'x.__proto__.e32a5ec9c99','ddcb362f1d60', ],
Expand Down
Empty file removed scripts/options.js
Empty file.
4 changes: 3 additions & 1 deletion scripts/popup.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
var port = chrome.extension.connect({
var chrome = browser;

var port = chrome.runtime.connect({
name: "logger"
});

Expand Down
9 changes: 5 additions & 4 deletions scripts/utils.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
var chrome = browser;

const DEBUG = false;

const blacklist = [
Expand Down Expand Up @@ -107,8 +109,7 @@ const check = ({ requestUri, initiator }) => {
if (blacklist.indexOf(requestUri + ':' + lineCol) != -1) {
return;
}

found.add(JSON.stringify({ domain: initiator, type: name, file: requestUri, lineCol }))
found.add(JSON.stringify({ domain: new URL(initiator).origin, type: name, file: requestUri, lineCol }))
setBadgeCount(found.size);
});
})
Expand All @@ -120,9 +121,9 @@ const filter = {
types: ["script"]
};

const scan = ({ method, url, initiator }) => {
const scan = (request) => {
// if (method == "GET") {
check({ requestUri: url, initiator });
check({ requestUri: request.url, initiator: request.originUrl });
// }
};

Expand Down