Add the location.hash source

[bnematzadeh]

Hi,

Some web pages may use the "location.hash" to read the hash value. It's better to check this source along with the "location.search". The following code uses a vulnerable gadget (jquery deparam) to read the hash value.

Payload for this gadget: ?__proto__[onload]=alert(1)
Case-1: location.search -> ppmap detects the pollution and generates the above payload
Case-2: location.hash -> ppmap does not detect the pollution

<script src="https://rawcdn.githack.com/AceMetrix/jquery-deparam/81428b3939c4cbe488202b5fa823ad661d64fb49/jquery-deparam.js"></script> <script> // location.search -> location.hash var query = deparam(location.hash.substr(1)); </script>

XSS Challenge from r/Slackers

<script async src="//embed.redditmedia.com/widgets/platform.js" charset="UTF-8" ></script> <script src="https://rawcdn.githack.com/AceMetrix/jquery-deparam/81428b3939c4cbe488202b5fa823ad661d64fb49/jquery-deparam.js"></script>

[kleiton0x00]

I'm sorry, but I didn't quite understand the Case-1&2. Ppmap uses only window.ppmap to identify the pollution.
Can you please provide more information and an example if possible as I'm not able to reproduce the issue?

[bnematzadeh]

Yeah, sure! ppmap workflow is as follows:

• Detecting the pollution
• Fingerprinting the vulnerable gadget
• Generating the payload

For detecting the pollution, ppmap sends the following payloads as "query string" first. Then it checks the window.ppmap to verify the pollution:

payloads := [4]string{ "constructor%5Bprototype%5D%5Bppmap%5D=reserved", "__proto__.ppmap=reserved", "constructor.prototype.ppmap=reserved", "__proto__%5Bppmap%5D=reserved", }

The problem here is not the window.ppmap. It's about sending the above payloads as query strings:
?constructor%5Bprototype%5D%5Bppmap%5D=reserved

This only works for pages which include the "location.search" to read the payloads. If you change the source to "location.hash", the detection phase will fail.
To reproduce this issue, you can use the following example:

• https://grey-acoustics.surge.sh/

ppmap works fine here because this page uses the location.search:
var query = deparam(location.search.slice(1));

But if you change the source to var query = deparam(location.hash.substr(1));, the ppmap won't detect the pollution because the page only accepts the hash value parameters from the client and this tool only sends the payloads as query strings.

[kleiton0x00]

Can you please confirm if v1.2.0 fixes this issue?

[bnematzadeh]

Looks good to me! It's fixed

[kleiton0x00]

Thank you for your feedback!