Back To Schedule
Wednesday, February 15 • 4:30pm - 5:30pm
Server Side Prototype Pollution

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Detecting server side prototype pollution legitimately is quite difficult because it involves changing the state of Object prototypes on the server and that can almost certainly cause DoS. I've created multiple techniques that allow you to detect SSPP without bringing the server to its knees and without needing the source code.

I'll talk about how you can detect server side prototype pollution and the pros and cons of each technique and show you how to detect the type of JavaScript engine being used on some sites all blackbox with specially crafted requests. Finally I'll share an open source Burp extension that will help you detect SSPP using Burp Suite and wrap up with defensive measures you can take, takeaways and leave 5 minutes for questions.

avatar for Gareth Heyes

Gareth Heyes

Researcher and Co-Author, PortSwigger
PortSwigger researcher Gareth Heyes is probably best known for his work escaping JavaScript sandboxes, and creating super-elegant XSS vectors. When he's not co-authoring books (like the recent title, Web Application Obfuscation), Gareth is a father to two wonderful girls and husband... Read More →

Wednesday February 15, 2023 4:30pm - 5:30pm GMT
Room: Liffey Hall 1