Server-Side Prototype Pollution: Detection and Exploitation Techniques - OWASP AppSec Dublin

Explore server-side prototype pollution in this 41-minute conference talk from Global AppSec Dublin. Delve into prototype chains, merge operations, and recursive merge functions. Learn about encoding properties that can take down servers, modifying maximum allowed parameters, and allowing multiple question marks in parameters. Discover techniques for converting parameters into objects, changing JSON response charsets and padding, and altering status codes. Investigate generic prototype pollution detection in Blitz and address asynchronous payload challenges. Gain insights on leaking code, detecting JavaScript engines, and using open-source tools. Conclude with strategies for preventing prototype pollution in web applications.

Intro
Prototype chain
Merge operation
Recursive merge function
Encoding property takes the server down
Change the maximum allowed parameters
Allow multiple question marks in param
Convert a parameter into an object
Change the charset of a JSON response
Investigating the charset technique
Change the padding of a JSON response
Change the status code
Generic prototype pollution detection in Blitz
A generic prototype pollution technique
Asynchronous payloads problem
Leaking code
Detecting JavaScript engines
Open source tool
Preventing prototype pollution