Name: Server Side Prototype Pollution
Start: 2023-02-15T16:30:00+0000
End: 2023-02-15T17:30:00+0000

Server Side Prototype Pollution

Feedback form is now closed.

Detecting server side prototype pollution legitimately is quite difficult because it involves changing the state of Object prototypes on the server and that can almost certainly cause DoS. I've created multiple techniques that allow you to detect SSPP without bringing the server to its knees and without needing the source code.

I'll talk about how you can detect server side prototype pollution and the pros and cons of each technique and show you how to detect the type of JavaScript engine being used on some sites all blackbox with specially crafted requests. Finally I'll share an open source Burp extension that will help you detect SSPP using Burp Suite and wrap up with defensive measures you can take, takeaways and leave 5 minutes for questions.

Speakers

Gareth Heyes

Researcher and Co-Author, PortSwigger

PortSwigger researcher Gareth Heyes is probably best known for his work escaping JavaScript sandboxes, and creating super-elegant XSS vectors. When he's not co-authoring books (like the recent title, Web Application Obfuscation), Gareth is a father to two wonderful girls and husband... Read More →

Server side prototype pollution pptx

Wednesday February 15, 2023 4:30pm - 5:30pm GMT
Room: Liffey Hall 1

Breakout: Breaker, Category: Breaker

Audience Advanced

OWASP 2023 Global AppSec Dublin

Gareth Heyes

Attendees (32)

OWASP 2023 Global AppSec Dublin

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Gareth Heyes

Attendees (32)