Skip to content

Firefox port #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zethash wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Firefox port #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a5315ef
chore: Remove blank options page and script
zethash Nov 7, 2021
bc5ac95
feat: Set unicode meta-tag for all html pages
zethash Nov 7, 2021
c61942a
feat: Remove chrome specific methods, others adaptate
zethash Nov 7, 2021
9edc2fd
docs: Manual for temporary install or build
zethash Nov 7, 2021
32f43b5
chore: Ignore folder with builded ext zips
zethash Nov 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
.DS_Store
web-ext-artifacts/*
24 changes: 10 additions & 14 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,23 +12,19 @@ Client Side Protype pollution Scanner


### How to use?
<ol>
<li>Clone the repo</li>
<li>Install addon

* In chrome,
* Go to More Tools -> Extenstions
* Enable Developer Mode
* Click on "Load unpacked" and select the cloned repo folder.

</li>
<li>Visit the websites you want to test</li>
</ol>

* Clone the repo
* Temporaty install
Copy link

@cubic-dev-ai cubic-dev-ai bot Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P3: Fix the spelling of “Temporaty” to “Temporary” in the installation heading for clarity.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At README.md, line 16:

<comment>Fix the spelling of “Temporaty” to “Temporary” in the installation heading for clarity.</comment>

<file context>
@@ -12,23 +12,19 @@ Client Side Protype pollution Scanner
-</ol>
-
+* Clone the repo
+* Temporaty install
+   * In Firefox, go to `about:debugging#/runtime/this-firefox`
+   * Click on "Load temporaty add-on" and select `manifest.json` from the cloned repo folder. 
</file context>
Suggested change
* Temporaty install
* Temporary install
Fix with Cubic

* In Firefox, go to `about:debugging#/runtime/this-firefox`
* Click on "Load temporaty add-on" and select `manifest.json` from the cloned repo folder.
Copy link

@cubic-dev-ai cubic-dev-ai bot Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P3: Correct the spelling of “temporaty” to “temporary” in the add-on installation step.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At README.md, line 18:

<comment>Correct the spelling of “temporaty” to “temporary” in the add-on installation step.</comment>

<file context>
@@ -12,23 +12,19 @@ Client Side Protype pollution Scanner
+* Clone the repo
+* Temporaty install
+   * In Firefox, go to `about:debugging#/runtime/this-firefox`
+   * Click on "Load temporaty add-on" and select `manifest.json` from the cloned repo folder. 
+* Persistent install
+  * Build `npm install --global web-ext` & `web-ext build` or `npx web-ext build`
</file context>
Suggested change
* Click on "Load temporaty add-on" and select `manifest.json` from the cloned repo folder.
* Click on "Load temporary add-on" and select `manifest.json` from the cloned repo folder.
Fix with Cubic

* Persistent install
* Build `npm install --global web-ext` & `web-ext build` or `npx web-ext build`
* After executing commands, an extension file should appear in ./web-ext-artifacts/ppscan-{Version number}.zip
* To install an extension from a file, switch `xpinstall.signatures.required parameter` to `false` in Firefox on `about:config` page.
* Click "Install add-on from file" on `about:addons` page and select ppscan-{Version number}.zip
* Visit the websites you want to test

It only checks for vulnerable location parsers.


### Examples
1. https://msrkp.github.io/pp/1.html
2. https://msrkp.github.io/pp/2.html
Expand Down
7 changes: 6 additions & 1 deletion manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
"version": "1.0",
"manifest_version": 2,
"description": "Client Side Prototype Pollution Scanner",
"options_page": "pages/options.html",
"permissions": [
"tabs",
"storage",
Expand Down Expand Up @@ -31,5 +30,11 @@
],
"browser_action": {
"default_popup": "pages/popup.html"
},
"applications": {
"gecko": {
"id": "PPScan@msrkp",
"strict_min_version": "57.0"
}
}
}
2 changes: 1 addition & 1 deletion pages/background.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<html>

<head>

<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>

<body>
Expand Down
1 change: 1 addition & 0 deletions pages/iframe.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

<head>
<title>PP</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>

<body>
Expand Down
8 changes: 0 additions & 8 deletions pages/options.html
View file
Open in desktop

This file was deleted.

7 changes: 5 additions & 2 deletions scripts/background.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
var chrome = browser;
Copy link

@cubic-dev-ai cubic-dev-ai bot Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: This will throw in environments where browser is undefined (e.g., Chrome), preventing the background script from loading. Use a safe fallback to the existing chrome global.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/background.js, line 1:

<comment>This will throw in environments where `browser` is undefined (e.g., Chrome), preventing the background script from loading. Use a safe fallback to the existing `chrome` global.</comment>

<file context>
@@ -1,3 +1,5 @@
+var chrome = browser;
+
 const databaseUrl = chrome.extension.getURL('/database.csv');
</file context>
Suggested change
var chrome = browser;
var chrome = typeof browser !== 'undefined' ? browser : globalThis.chrome;
Fix with Cubic


const databaseUrl = chrome.extension.getURL('/database.csv');

/* initialize */
Expand All @@ -7,11 +9,12 @@ setBadgeCount(0);

/* setup listeners */
chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => {
found.add(msg);
sourceUrl = new URL(msg);
Copy link

@cubic-dev-ai cubic-dev-ai bot Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Declare sourceUrl with const/let to avoid leaking a global variable into the background script scope.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/background.js, line 12:

<comment>Declare `sourceUrl` with `const`/`let` to avoid leaking a global variable into the background script scope.</comment>

<file context>
@@ -7,11 +9,12 @@ setBadgeCount(0);
 /* setup listeners */
 chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => {
-    found.add(msg);
+    sourceUrl = new URL(msg);
+    found.add(JSON.stringify({ domain: sourceUrl.origin, type: 'Active Mode', file: sourceUrl.href, lineCol: 0 }));
     setBadgeCount(found.size);
</file context>
Suggested change
sourceUrl = new URL(msg);
const sourceUrl = new URL(msg);
Fix with Cubic

found.add(JSON.stringify({ domain: sourceUrl.origin, type: 'Active Mode', file: sourceUrl.href, lineCol: 0 }));
setBadgeCount(found.size);
});

chrome.extension.onConnect.addListener((port) => {
chrome.runtime.onConnect.addListener((port) => {
console.log('[>] New Session ', port);
if (port.name == "logger") {
port.onMessage.addListener((msg) => {
Expand Down
2 changes: 2 additions & 0 deletions scripts/content_script.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
var chrome = browser;
Copy link

@cubic-dev-ai cubic-dev-ai bot Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Unconditionally assigning browser to chrome will throw in Chrome where browser is undefined, breaking the content script. Use a guarded assignment that falls back to chrome when browser isn’t available.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/content_script.js, line 1:

<comment>Unconditionally assigning `browser` to `chrome` will throw in Chrome where `browser` is undefined, breaking the content script. Use a guarded assignment that falls back to `chrome` when `browser` isn’t available.</comment>

<file context>
@@ -1,3 +1,5 @@
+var chrome = browser;
+
 document.addEventListener('TriggerBrute', () => {
</file context>
Suggested change
var chrome = browser;
var chrome = typeof browser !== "undefined" ? browser : chrome;
Fix with Cubic


document.addEventListener('TriggerBrute', () => {
var iframe = document.createElement('iframe');
iframe.addEventListener('load', () => {
Expand Down
2 changes: 2 additions & 0 deletions scripts/exp.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
var chrome = browser;
Copy link

@cubic-dev-ai cubic-dev-ai bot Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Guard against browser being undefined; this line throws in Chrome, breaking existing extension usage. Use a conditional alias instead of directly referencing browser.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/exp.js, line 1:

<comment>Guard against `browser` being undefined; this line throws in Chrome, breaking existing extension usage. Use a conditional alias instead of directly referencing `browser`.</comment>

<file context>
@@ -1,3 +1,5 @@
+var chrome = browser;
+
 var PAYLOADS = [
</file context>
Fix with Cubic


var PAYLOADS = [
// ['XSS Prototype #1', 'x[__proto__][e32a5ec9c99]', 'ddcb362f1d60', ],
// ['XSS Prototype #2', 'x.__proto__.e32a5ec9c99','ddcb362f1d60', ],
Expand Down
Empty file removed scripts/options.js
View file
Open in desktop
Empty file.
4 changes: 3 additions & 1 deletion scripts/popup.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
var port = chrome.extension.connect({
var chrome = browser;
Copy link

@cubic-dev-ai cubic-dev-ai bot Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Directly assigning browser breaks Chrome because browser is undefined there. Use a guarded fallback so Chrome continues to work.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/popup.js, line 1:

<comment>Directly assigning `browser` breaks Chrome because `browser` is undefined there. Use a guarded fallback so Chrome continues to work.</comment>

<file context>
@@ -1,4 +1,6 @@
-var port = chrome.extension.connect({
+var chrome = browser;
+
+var port = chrome.runtime.connect({
</file context>
Suggested change
var chrome = browser;
var chrome = typeof browser !== "undefined" ? browser : window.chrome;
Fix with Cubic


var port = chrome.runtime.connect({
name: "logger"
});

Expand Down
9 changes: 5 additions & 4 deletions scripts/utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
var chrome = browser;

const DEBUG = false;

const blacklist = [
Expand Down Expand Up @@ -107,8 +109,7 @@ const check = ({ requestUri, initiator }) => {
if (blacklist.indexOf(requestUri + ':' + lineCol) != -1) {
return;
}

found.add(JSON.stringify({ domain: initiator, type: name, file: requestUri, lineCol }))
found.add(JSON.stringify({ domain: new URL(initiator).origin, type: name, file: requestUri, lineCol }))
Copy link

@cubic-dev-ai cubic-dev-ai bot Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Guard against missing originUrl before calling new URL(...). originUrl is optional for webRequest details, so new URL(initiator) can throw and stop scanning for requests without an origin.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At scripts/utils.js, line 112:

<comment>Guard against missing `originUrl` before calling `new URL(...)`. `originUrl` is optional for webRequest details, so `new URL(initiator)` can throw and stop scanning for requests without an origin.</comment>

<file context>
@@ -107,8 +109,7 @@ const check = ({ requestUri, initiator }) => {
                 }
-
-                found.add(JSON.stringify({ domain: initiator, type: name, file: requestUri, lineCol }))
+                found.add(JSON.stringify({ domain: new URL(initiator).origin, type: name, file: requestUri, lineCol }))
                 setBadgeCount(found.size);
             });
</file context>
Suggested change
found.add(JSON.stringify({ domain: new URL(initiator).origin, type: name, file: requestUri, lineCol }))
found.add(JSON.stringify({ domain: initiator ? new URL(initiator).origin : url.origin, type: name, file: requestUri, lineCol }))
Fix with Cubic

Copy link
Owner

@msrkp msrkp Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good

setBadgeCount(found.size);
});
})
Expand All @@ -120,9 +121,9 @@ const filter = {
types: ["script"]
};

const scan = ({ method, url, initiator }) => {
const scan = (request) => {
// if (method == "GET") {
check({ requestUri: url, initiator });
check({ requestUri: request.url, initiator: request.originUrl });
// }
};

Expand Down