Open In App

Ppmap – A Scanner or Exploitation Tool Written In GO

Last Updated : 23 Sep, 2021
Improve
Improve
Like Article
Like
Save
Share
Report

There are specific variables in the global type context of web-based applications which are known as Gadgets. These gadgets can be used by the pen tester to perform XSS attacks through the Prototype Pollution method. Prototype Pollution flaw is a vulnerability that can affect JavaScript applications. Various automated tools can perform this task, Ppmap is an automated tool that aims to perform XSS via Prototype Pollution on the target domain. Ppmap tool is developed in the Go language which can scan automatically on the target domain and identify the Gadgets on the domain. Ppmap tool is available on the GitHub platform, it’s free and open-source to use.

Note: As Ppmap is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to download Golang in your system. – How to Install Go Programming Language in Linux

Installation of Ppmap Tool in Kali Linux OS

Step 1: Use the following command to install the tool in your Kali Linux operating system.

git clone https://github.com/kleiton0x00/ppmap.git

Step 2: Now use the following command to move into the directory of the tool. You have to move in the directory in order to run the tool.

cd ppmap

Step 3: Build the go file using the following command

sudo go build

Step 4: Now use the following command to run the tool.

./ppmap

Working with Ppmap Tool in Kali Linux OS

Example 1: Scan a directory/file (or even just the website itself)

echo 'https://geeksforgeeks.org' | ./ppmap

We are scanning the https://geeksforgeeks.org target domain.

As https://geeksforgeeks.org is a secured website no Vuln is found on the domain.

Example 2: Scanning endpoint

https://msrkp.github.io/pp/2.html?__proto__[preventDefault]=x&__proto__[handleObj]=x&__proto__[delegateTarget]=<img/src/onerror%!d(MISSING)alert(1)>

In this example, we are scanning the complete URL with the endpoint.

We have got the vulnerable parameter.

We will copy the vulnerable URL and paste the URL onto the web browser.

Payload is triggered on the domain, and it’s vulnerable to XSS.

Example 3: For mass scanning

cat urls.txt | ./ppmap

In this example, we will be scanning multiple target domains at the same time.


Like Article
Suggest improvement
Next
Zeebsploit - Information gathering, Scanning, and Exploitation tool
Share your thoughts in the comments

Similar Reads

Fuxploider - File Upload Vulnerability Scanner And Exploitation Tool
CMSeeK - CMS Detection and Exploitation Tool
CMSeeK - Open Source Content Management System Detection and Exploitation Tool
Commix - OS Command Injection and Exploitation Tool
Dracnmap – Information Gathering and Network Exploitation Tool
Zeebsploit - Information gathering, Scanning, and Exploitation tool
Tplmap - Tool For Automatic Server Side Template Injection Exploitation
GONET-Scanner - Golang Network Scanner With Arp Discovery And Own Parser
XSS-Freak - XSS Scanner Fully Written in Kali Linux
Knock - Subdomain Scanner Tool in Kali Linux

G
gauravgandal
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox