SD Occasions Open-Supply Venture of the Week: page-fetch

Web page-fetch is a brand new open-source instrument created by the Detectify Safety Analysis crew that helps hunt for prototype air pollution points. 

Some of the frequent locations for prototype air pollution — the flexibility to inject properties into current JavaScript language assemble prototypes — is in processing the question string.

Detectify’s answer can already discover points that stem from product air pollution when working the Deep Scan DAST scanner, however now pentesters, bug bounty hunters and safety researchers may also search for this vulnerability in addition to different client-side points utilizing page-fetch. 

Web page-fetch, which is written in Go, works by taking an inventory of URLs as its enter and fetches them utilizing a headless Chrome browser, all whereas storing a duplicate of each response that it noticed together with JavaScript information, CSS information, pictures, API requests, and so forth.

RELATED CONTENT: JavaScript has come a long way and shows no sign of slowing

By having a duplicate of these assets, customers can construct customized phrase lists and use filters to exclude third-party requests, save solely third-party requests, and embrace or exclude requests based mostly on their content-type. 

To search for prototype air pollution, one wants to choose a payload to strive within the question string of our enter URL, after which take a look at to see if the worth was set as anticipated. Then, the take a look at code simply checks to see if ‘window.testparam’ is the same as ‘testval’, and whether it is: returns the string ‘susceptible’, and returns not susceptible in any other case.

Further particulars on the way it works can be found here.

We will be happy to hear your thoughts

Leave a reply

Pure Profitz
Enable registration in settings - general
Shopping cart