Take a list of URLs and check each for client-side prototype pollution by appending __proto__[testparam]=testval and verifying that the rendered page exposes window.testparam === 'testval'.
Built on top of detectify/page-fetch for headless rendering.
Requires Go 1.17+.
go install github.com/PiyushThePal/prototype-polluter@latestpage-fetch is auto-installed on first run if not already on PATH. Make sure $GOPATH/bin (or $HOME/go/bin) is in your PATH.
prototype-polluter -hPipe URLs in via stdin:
cat domains-list.txt | prototype-polluterVerbose mode also shows non-vulnerable results:
cat domains-list.txt | prototype-polluter -vCombine with waybackurls for live recon:
waybackurls example.com | prototype-polluter -vFor each URL on stdin:
- Append
?__proto__[testparam]=testval(or&...if a query string already exists). - Render the URL with
page-fetchand evaluatewindow.testparam == 'testval' ? 'Vulnerable' : 'Not Vulnerable'. - Print
Vulnerable --> <url>for hits.
False positives are possible — manually verify before reporting.
For authorized security testing only — bug bounty programs in scope, your own assets, or explicit pentest engagements. Spraying prototype-pollution probes at targets you don't have permission to test is not OK.
MIT