npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

ppfang

v1.3.5

Published

A service which detects prototype pollution in libraries

Downloads

20

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

alex.cuciureanualex.cuciureanu

Keywords

Readme

PPFang - Identify Client-Side Prototype Pollution

CodeQL Node.js Package GitHub

Are you concerned about prototype pollution vulnerabilities in your JavaScript code? Look no further! PPFang is here to help you identify and eliminate prototype polluting libraries.

Inspiration

My project was influenced by Huli's (@aszx87410) work on cdnjs-prototype-pollution. After exploring his approach, I was motivated to develop my own project, taking a different path.

What is PPFang?

PPFang is a powerful tool designed to detect and mitigate prototype pollution vulnerabilities in your client-side JavaScript code. With PPFang, you can ensure the security and reliability of your applications by identifying and eliminating potential risks.

Features

🔍 Verify the latest libraries from cdnjs.com

📜 Check a list of URLs for client-side prototype polluting functions

🚀 Easy installation and usage

Prerequisites

Before getting started with PPFang, make sure you have the following prerequisites installed on your Ubuntu/Debian system:

  • libnss3
  • libxss1
  • libasound2
  • libatk-bridge2.0-0
  • libgtk-3-0
  • libgbm-dev

Installation

To install PPFang, simply run the following command:

Prerequisites on Ubuntu/Debian

In case you get the following message on Ubuntu/Debian:

/.cache/puppeteer/chrome/linux-1108766/chrome-linux/chrome: error while loading shared libraries: libatk-1.0.so.0: cannot open shared object file: No such file or directory

You might need to install the following packages:

sudo apt-get install libnss3 libxss1 libasound2 libatk-bridge2.0-0 libgtk-3-0 libgbm-dev

Install dependencies

npm install -g ppfang

Or, if you prefer to install it from as an npm package from this repo directly.

npm install -g .

Or, if you want to simply run it.

node index.js

or with arguments

node index.js -- [arguments go here]

Usage

Usage: ppfang [command] [option]

A tool which helps identifying client-side prototype polluting libraries

Options:
  -h, --help       display help for command

Commands:
  cdnjs [options]  Verifies the latest libraries from cdnjs.com
  pipe [options]   Checks a list of urls provided through stdin for client-side prototype polluting functions
  help [command]   display help for command


Examples:

  ppfang cdnjs

  ppfang cdnjs -c 50

  cat urls.txt | ppfang pipe -c 10

  echo "https://somesite.com/" | ppfang pipe

  gau --blacklist png,jpg,gif,txt,json,js some-random-domain.com | ppfang pipe -c 50

  ppfang --help || ppfang

Happy hunting!

Interpreting Results 🧐

PPFang will output a list of potential prototype pollution vulnerabilities. For example, you might see a result like String.prototype.$initialize. This means that the $initialize function is potentially polluting the String prototype.

Testing Vulnerabilities 🔍

You can test the potential impact of this pollution by executing a function in the context of this prototype. For instance, you can execute an alert() function like this:

String.prototype.$initialize.call(alert(document.domain))

For more special cases, such as getting results where the function names have names like: String.prototype.$<=>, String.prototype.$==, String.prototype.$eql? and so on. You can do it like this:

String.prototype['$<=>'].call(alert(document.domain))

In this example, document.domain is passed to the alert() function. If the prototype pollution vulnerability is exploitable, this will display an alert box with the current document's domain.

Mitigating Risks 🛡️

Once you've identified potential vulnerabilities, take the steps to mitigate them. This might involve refactoring your code or removing the offending library.

Remember, the goal of PPFang is to help you identify these potential vulnerabilities so you can take steps to mitigate them. Always ensure to validate the findings and take appropriate action to secure your code.

Presentations which mentioned PPFang

sec4dev 2022 – Bypassing CSPs Zero to hero – Robbe Van Roey

Greetings to everyone