Bypassing flawed input filters for server-side prototype pollution - Lab#08
Автор: Mohd Badrudduja
Загружено: 2025-09-15
Просмотров: 167
Описание:
In this video I solve the “Bypassing flawed input filters for server-side prototype pollution” lab from PortSwigger Web Security Academy.
This Node.js / Express application unsafely merges user-controlled input into server-side objects, and simple input filters were added — but they’re incomplete. I demonstrate how to bypass those flawed filters, pollute Object.prototype, locate a gadget property to escalate privileges, and ultimately access the admin panel to delete the user carlos.
What you’ll learn:
How server-side prototype pollution works in Node.js / Express.
Common (flawed) filter strategies and how attackers bypass them.
Finding prototype pollution sources and gadget properties on the server side.
Escalating privileges via polluted prototype properties to reach admin functionality.
Lab goal:
Bypass input filters → pollute Object.prototype → escalate privileges → access admin panel and delete carlos.
Ethical reminder:
This content is for educational purposes only. Always test in authorized environments and follow responsible disclosure practices.
If this walkthrough helped, please like, comment, and subscribe for more web security labs and exploitation techniques!
#PrototypePollution #ServerSideSecurity #NodeJS #ExpressJS #PrivilegeEscalation #WebSecurity #PortSwigger #BugBounty #EthicalHacking #WebAppSecurity #BurpSuite #InfoSec #PenTesting #SecurityResearch
Повторяем попытку...
Доступные форматы для скачивания:
Скачать видео
-
Информация по загрузке: