Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Server-Side Prototype Pollution: Detection and Exploitation Techniques - OWASP AppSec Dublin

OWASP Foundation via YouTube

Overview

Explore server-side prototype pollution in this 41-minute conference talk from Global AppSec Dublin. Delve into prototype chains, merge operations, and recursive merge functions. Learn about encoding properties that can take down servers, modifying maximum allowed parameters, and allowing multiple question marks in parameters. Discover techniques for converting parameters into objects, changing JSON response charsets and padding, and altering status codes. Investigate generic prototype pollution detection in Blitz and address asynchronous payload challenges. Gain insights on leaking code, detecting JavaScript engines, and using open-source tools. Conclude with strategies for preventing prototype pollution in web applications.

Syllabus

Intro
Prototype chain
Merge operation
Recursive merge function
Encoding property takes the server down
Change the maximum allowed parameters
Allow multiple question marks in param
Convert a parameter into an object
Change the charset of a JSON response
Investigating the charset technique
Change the padding of a JSON response
Change the status code
Generic prototype pollution detection in Blitz
A generic prototype pollution technique
Asynchronous payloads problem
Leaking code
Detecting JavaScript engines
Open source tool
Preventing prototype pollution

Taught by

OWASP Foundation

Reviews

Start your review of Server-Side Prototype Pollution: Detection and Exploitation Techniques - OWASP AppSec Dublin

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.