Open In App

Ppmap – A Scanner or Exploitation Tool Written In GO

Last Updated : 23 Sep, 2021
Improve
Improve
Like Article
Like
Save
Share
Report

There are specific variables in the global type context of web-based applications which are known as Gadgets. These gadgets can be used by the pen tester to perform XSS attacks through the Prototype Pollution method. Prototype Pollution flaw is a vulnerability that can affect JavaScript applications. Various automated tools can perform this task, Ppmap is an automated tool that aims to perform XSS via Prototype Pollution on the target domain. Ppmap tool is developed in the Go language which can scan automatically on the target domain and identify the Gadgets on the domain. Ppmap tool is available on the GitHub platform, it’s free and open-source to use.

Note: As Ppmap is a Golang language-based tool, so you need to have a Golang environment on your system. So check this link to download Golang in your system. – How to Install Go Programming Language in Linux

Installation of Ppmap Tool in Kali Linux OS

Step 1: Use the following command to install the tool in your Kali Linux operating system.

git clone https://github.com/kleiton0x00/ppmap.git

Step 2: Now use the following command to move into the directory of the tool. You have to move in the directory in order to run the tool.

cd ppmap

Step 3: Build the go file using the following command

sudo go build

Step 4: Now use the following command to run the tool.

./ppmap

Working with Ppmap Tool in Kali Linux OS

Example 1: Scan a directory/file (or even just the website itself)

echo 'https://geeksforgeeks.org' | ./ppmap

We are scanning the https://geeksforgeeks.org target domain.

As https://geeksforgeeks.org is a secured website no Vuln is found on the domain.

Example 2: Scanning endpoint

https://msrkp.github.io/pp/2.html?__proto__[preventDefault]=x&__proto__[handleObj]=x&__proto__[delegateTarget]=<img/src/onerror%!d(MISSING)alert(1)>

In this example, we are scanning the complete URL with the endpoint.

We have got the vulnerable parameter.

We will copy the vulnerable URL and paste the URL onto the web browser.

Payload is triggered on the domain, and it’s vulnerable to XSS.

Example 3: For mass scanning

cat urls.txt | ./ppmap

In this example, we will be scanning multiple target domains at the same time.


Similar Reads

Fuxploider - File Upload Vulnerability Scanner And Exploitation Tool
A local file upload flaw is a vulnerability where a web application permits an attacker to upload a wicked file straightly which is then performed. The tester can test this flaw by individually uploading all types of files with different extensions, but the manual approach takes more time. So Automated Tools can be used to fast up the process. Fuxp
2 min read
CMSeeK - CMS Detection and Exploitation Tool
A content management system (CMS) is an application that is used to manage web content, providing multiple givers to create, edit and publish. Content in a CMS is typically saved in a database and displayed in a presentation layer based on a set of templates. In the Security World, this CMS application can contain vulnerabilities that can compromis
3 min read
CMSeeK - Open Source Content Management System Detection and Exploitation Tool
CMSeeK is a free and open-source tool available on GitHub. CMSeeK can detect content management systems such as WordPress, Drupal, Joomla, and Magento CMS, WordPress sensitive files, and WordPress version-related vulnerabilities. CMSeeK uses different modules for doing all the scannings. CMSeeK is a vulnerability scanner tool for content management
2 min read
Commix - OS Command Injection and Exploitation Tool
In terms of security, we also refer to command injection as shell injection and operating system injection. Command injection lies in the OWASP top 10 every year. Command injection is a hacking technique in which hackers execute commands in the host operating system through vulnerable web applications after scanning. This attack can be possible if
3 min read
Dracnmap – Information Gathering and Network Exploitation Tool
Dracnmap tool is an automated tool that aims to perform network exploitation and information gathering on the target host or network. This tool collects information like host status (whether the host is up or down), open port details, MAC Address details, Firewall Information, Traceroute results, and many more. Dracnmap tool is developed in the She
2 min read
Zeebsploit - Information gathering, Scanning, and Exploitation tool
Zeebsploit tool is an automated tool that helps the tester or bug bounty hunter in the phases of Information Gathering Scanning and also in Exploitation. Zeebsploit tool can gather information like CMS Info, WHOIS record, IP geolocation, and many more. The scanning module can scan the target domain for vulnerabilities like XSS, SQLi, File Upload, a
2 min read
Tplmap - Tool For Automatic Server Side Template Injection Exploitation
Server-side template injection is a security flaw in which the hacker injects malicious input into a template to run commands on the server-side. We can use various automated tools to perform this vulnerability exploitation. Tplmap is an automated cyber security tool that can perform checking and exploitation of SSTI (Server-side template injection
2 min read
GONET-Scanner - Golang Network Scanner With Arp Discovery And Own Parser
GONET-Scanner tool is an automated cyber-security tool that is developed in the Golang language and can be used in the process of Network Scanning. GONET-Scanner tool has the potential to find the open ports on the specified IP address range. This tool is available on the GitHub platform for free. It's open-source so, you can also contribute to its
2 min read
XSS-Freak - XSS Scanner Fully Written in Kali Linux
XSS or Cross-Site Scripting is the most emerging security flaw in Web Applications. When the arbitrary or malicious JavaScript is executed by the web application then it is said to be an XSS Vulnerable Website. There are various XSS Scanners through which we can detect the XSS on the target domain. XSS-Freak is an XSS Scanner developed in the Pytho
3 min read
Knock - Subdomain Scanner Tool in Kali Linux
Knock is a tool written in Python and is designed to enumerate subdomains in a target domain through a wordlist. Installation: First clone the tool from the GitHub repository by using the below command. git clone https://github.com/santiko/KnockPy.git Then Change to your preferred directory. cd KnockPy[caption width="800"]Fig 1: Cloning tool from G
2 min read