Server Side Prototype Pollution

The presentation discusses the detection and prevention of Prototype Pollution vulnerabilities in JavaScript applications.

• Prototype Pollution vulnerabilities can be exploited to execute malicious code in JavaScript applications
• The Prototype Pollution scanner can be used to detect and prevent these vulnerabilities
• Object.freeze or seal methods can be used to protect against Prototype Pollution
• Inherited properties in parameter names or values can be used to leak JavaScript native code
• Detection of JavaScript engines can be done by looking for specific inherited properties

The speaker found that by using an inherited property such as valueof as a cookie value, they were able to leak JavaScript native code from the Adobe website. They also discovered that certain inherited properties can be used to detect the JavaScript engine being used.

Detecting server side prototype pollution legitimately is quite difficult because it involves changing the state of Object prototypes on the server and that can almost certainly cause DoS. I've created multiple techniques that allow you to detect SSPP without bringing the server to its knees and without needing the source code.I'll talk about how you can detect server side prototype pollution and the pros and cons of each technique and show you how to detect the type of JavaScript engine being used on some sites all blackbox with specially crafted requests. Finally I'll share an open source Burp extension that will help you detect SSPP using Burp Suite and wrap up with defensive measures you can take, takeaways and leave 5 minutes for questions.