[](<https://1.bp.blogspot.com/-iP9i_8VMqr4/YPiojQGNE-I/AAAAAAAAjao/361K5qU2dXcjLf491-8oXKkJ2Twb9uYdwCK4BGAYYCw/s1600/ppmap_1-703557.gif>)
A simple scanner/exploitation tool written in GO which automatically [exploits](<https://www.kitploit.com/search/label/Exploits> "exploits" ) known and existing gadgets (checks for specific variables in the global context) to perform XSS via Prototype Pollution. NOTE: The program only exploits known gadgets, but does not cover [code analysis](<https://www.kitploit.com/search/label/Code%20Analysis> "code analysis" ) or any advanced Prototype Pollution exploitation, which may include custom gadgets.
**Requirements**
Make sure to have [chromedp](<https://github.com/chromedp/chromedp> "chromedp" ) installed:
`go get -u github.com/chromedp/chromedp`
**Installation**
* Automatically
* Download the already compiled binary [here](<https://github.com/kleiton0x00/ppmap/releases> "here" )
* Give it the permission to execute `chmod +x ppmap`
* Manually (compile it yourself)
* Clone the project:
`git clone https://github.com/kleiton0x00/ppmap.git`
* Change directory to ppmap folder:
`cd ~/ppmap`
* Build the binary
`go build ppmap.go`
**Usage**
Using the program is very simple, you can either:
* scan a directory/file (or even just the website): `echo 'https://target.com/index.html' | ./ppmap`
* or endpoint: `echo 'http://target.com/something/?page=home' | ./ppmap`
For mass scanning:
` cat url.txt | ./ppmap` where **url.txt** contains all url(s) in column.
**Demo**
[](<https://camo.githubusercontent.com/87f422644420b45d4a485317b0f69adc1bc6a5dfe0acbd39895a4b81d529dd85/68747470733a2f2f692e696d6775722e636f6d2f30356e766677582e676966> "A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets. \(5\)" )[](<https://1.bp.blogspot.com/-iP9i_8VMqr4/YPiojQGNE-I/AAAAAAAAjao/361K5qU2dXcjLf491-8oXKkJ2Twb9uYdwCK4BGAYYCw/s1600/ppmap_1-703557.gif>)
Feel free to test the tool on the following websites as a part of demonstration:
<https://msrkp.github.io/pp/2.html>
<https://ctf.nikitastupin.com/pp/known.html>
**Workflow**
* Identify if the website is [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> "vulnerable" ) to Prototype Pollution by heuristic scan
* Fingerprint the known gadgets (checks for specific variables in the global context)
* Display the final exploit & ready to perform XSS
**Credits**
Many thanks to @Tomnomnom for the inspiration: [https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s](<https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s> "https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s" )
The workflow of this program is hugely based on this article: <https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2>
The [fingerprint](<https://www.kitploit.com/search/label/Fingerprint> "fingerprint" ) javascript file is based on this git: <https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec>
**[Download Ppmap](<https://github.com/kleiton0x00/ppmap> "Download Ppmap" )**
{"id": "KITPLOIT:5555983330929000779", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "Ppmap - A Scanner/Exploitation Tool Written In GO, Which Leverages Prototype Pollution To XSS By Exploiting Known Gadgets", "description": "[](<https://1.bp.blogspot.com/-iP9i_8VMqr4/YPiojQGNE-I/AAAAAAAAjao/361K5qU2dXcjLf491-8oXKkJ2Twb9uYdwCK4BGAYYCw/s1600/ppmap_1-703557.gif>)\n\n \n\n\nA simple scanner/exploitation tool written in GO which automatically [exploits](<https://www.kitploit.com/search/label/Exploits> \"exploits\" ) known and existing gadgets (checks for specific variables in the global context) to perform XSS via Prototype Pollution. NOTE: The program only exploits known gadgets, but does not cover [code analysis](<https://www.kitploit.com/search/label/Code%20Analysis> \"code analysis\" ) or any advanced Prototype Pollution exploitation, which may include custom gadgets.\n\n \n\n\n**Requirements** \n\n\nMake sure to have [chromedp](<https://github.com/chromedp/chromedp> \"chromedp\" ) installed: \n`go get -u github.com/chromedp/chromedp`\n\n \n**Installation** \n\n\n * Automatically\n\n * Download the already compiled binary [here](<https://github.com/kleiton0x00/ppmap/releases> \"here\" )\n * Give it the permission to execute `chmod +x ppmap`\n * Manually (compile it yourself)\n\n * Clone the project: \n`git clone https://github.com/kleiton0x00/ppmap.git`\n * Change directory to ppmap folder: \n`cd ~/ppmap`\n * Build the binary \n`go build ppmap.go`\n \n**Usage** \n\n\nUsing the program is very simple, you can either:\n\n * scan a directory/file (or even just the website): `echo 'https://target.com/index.html' | ./ppmap`\n\n * or endpoint: `echo 'http://target.com/something/?page=home' | ./ppmap`\n\nFor mass scanning: \n` cat url.txt | ./ppmap` where **url.txt** contains all url(s) in column.\n\n \n**Demo** \n\n\n[](<https://camo.githubusercontent.com/87f422644420b45d4a485317b0f69adc1bc6a5dfe0acbd39895a4b81d529dd85/68747470733a2f2f692e696d6775722e636f6d2f30356e766677582e676966> \"A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets. \\(5\\)\" )[](<https://1.bp.blogspot.com/-iP9i_8VMqr4/YPiojQGNE-I/AAAAAAAAjao/361K5qU2dXcjLf491-8oXKkJ2Twb9uYdwCK4BGAYYCw/s1600/ppmap_1-703557.gif>)\n\nFeel free to test the tool on the following websites as a part of demonstration: \n<https://msrkp.github.io/pp/2.html> \n<https://ctf.nikitastupin.com/pp/known.html>\n\n \n**Workflow** \n\n\n * Identify if the website is [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to Prototype Pollution by heuristic scan\n * Fingerprint the known gadgets (checks for specific variables in the global context)\n * Display the final exploit & ready to perform XSS\n \n**Credits** \n\n\nMany thanks to @Tomnomnom for the inspiration: [https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s](<https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s> \"https://www.youtube.com/watch?v=Gv1nK6Wj8qM&t=1558s\" ) \nThe workflow of this program is hugely based on this article: <https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2> \nThe [fingerprint](<https://www.kitploit.com/search/label/Fingerprint> \"fingerprint\" ) javascript file is based on this git: <https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec>\n\n \n \n\n\n**[Download Ppmap](<https://github.com/kleiton0x00/ppmap> \"Download Ppmap\" )**\n", "published": "2021-07-25T12:30:00", "modified": "2021-07-25T12:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/07/ppmap-scannerexploitation-tool-written.html", "reporter": "KitPloit", "references": ["https://github.com/kleiton0x00/ppmap/releases", "https://camo.githubusercontent.com/87f422644420b45d4a485317b0f69adc1bc6a5dfe0acbd39895a4b81d529dd85/68747470733a2f2f692e696d6775722e636f6d2f30356e766677582e676966", "https://gist.github.com/nikitastupin/b3b64a9f8c0eb74ce37626860193eaec", "https://github.com/chromedp/chromedp", "https://msrkp.github.io/pp/2.html", "https://github.com/kleiton0x00/ppmap"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:01:48", "viewCount": 109, "enchantments": {"dependencies": {}, "score": {"value": -0.4, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.4}, "_state": {"dependencies": 1659909890, "score": 1659846169}, "_internal": {"score_hash": "d91e892b219025dd535f3191d27c10ce"}, "toolHref": "https://github.com/kleiton0x00/ppmap"}