Original Post: Finding client-side prototype pollution with DOM Invader | Blog
The article details the enhancements made to DOM Invader, a tool developed by PortSwigger, for detecting client-side prototype pollution (CSPP) vulnerabilities. The new version simplifies finding CSPP sources and gadgets by enabling users to automate and verify the detection process. It explains prototype pollution, which occurs when user-controlled keys merge unsanitized with objects, leading to dangerous assignments in the Object.prototype. The article guides on using DOM Invader’s features for discovering and exploiting these vulnerabilities, provides example codes, and suggests enabling certain settings for better detection. It also mentions the improvements made based on real-world testing and the addition of useful callbacks to facilitate vulnerability logging. To use the updated tool, users are encouraged to update their Burp Suite to the latest version on the Early Adopter channel.
Credits are given to various individuals who contributed to the tool’s development and the broader research community on the subject.
Go here to read the Original Post