Working with Ppmap Tool in Kali Linux OS
Example 1: Scan a directory/file (or even just the website itself)
echo 'https://w3wiki.org' | ./ppmap
We are scanning the https://w3wiki.org target domain.
As https://w3wiki.org is a secured website no Vuln is found on the domain.
Example 2: Scanning endpoint
https://msrkp.github.io/pp/2.html?__proto__[preventDefault]=x&__proto__[handleObj]=x&__proto__[delegateTarget]=<img/src/onerror%!d(MISSING)alert(1)>
In this example, we are scanning the complete URL with the endpoint.
We have got the vulnerable parameter.
We will copy the vulnerable URL and paste the URL onto the web browser.
Payload is triggered on the domain, and it’s vulnerable to XSS.
Example 3: For mass scanning
cat urls.txt | ./ppmap
In this example, we will be scanning multiple target domains at the same time.
Ppmap – A Scanner or Exploitation Tool Written In GO
There are specific variables in the global type context of web-based applications which are known as Gadgets. These gadgets can be used by the pen tester to perform XSS attacks through the Prototype Pollution method. Prototype Pollution flaw is a vulnerability that can affect JavaScript applications. Various automated tools can perform this task, Ppmap is an automated tool that aims to perform XSS via Prototype Pollution on the target domain. Ppmap tool is developed in the Go language which can scan automatically on the target domain and identify the Gadgets on the domain. Ppmap tool is available on the GitHub platform, it’s free and open-source to use.
Note: As Ppmap is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to download Golang in your system. – How to Install Go Programming Language in Linux