Gareth Heyes


Designation :

Researcher at PortSwigger Web Security

Talk Title :

Server Side Prototype Pollution: Blackbox detection without the DoS

Abstract :

Detecting server side prototype pollution legitimately is quite difficult because it involves changing the state of Object prototypes on the server and that can almost certainly cause DoS. I've created multiple techniques that allow you to detect SSPP without bringing the server to its knees and without needing the source code.

I'll talk about how you can detect server side prototype pollution and the pros and cons of each technique and show you how to detect the type of JavaScript engine being used on some sites all blackbox with specially crafted requests. Finally I'll share an open source Burp extension that will help you detect SSPP using Burp Suite and wrap up with defensive measures you can take, takeaways and leave 5 minutes for questions.

Bio :

PortSwigger researcher Gareth Heyes is probably best known for his work escaping JavaScript sandboxes, and creating super-elegant XSS vectors. When he's not co-authoring books (like the recent title, Web Application Obfuscation), Gareth is a father to two wonderful girls and husband to an amazing wife, as well as an ardent fan of Liverpool FC.

In his daily life at PortSwigger, Gareth can often be found creating new XSS vectors, researching new techniques to attack web applications, and preparing to speak at conferences around the globe. A recent highlight was his presentation "XSS Magic Tricks" at OWASP Allstars Amsterdam, 2019. He's also the author of PortSwigger's XSS Cheat Sheet. In his spare time he loves writing new BApp extensions (he's the creator of both Hackvertor and Taborator).

Want to connect with Gareth Heyes?