Home

Awesome

Server side prototype pollution scanner

This extension identifies server side prototype pollution vulnerabilities, and requires <strong>Burp Suite v2021.9</strong> or later.

It uses techniques described in the server side prototype pollution talk by Gareth Heyes.

If you'd like to rate limit your attack, use the Distribute Damage extension.

How to use the extension

To use this extension simply right-click on a request, go to the extensions menu then server side prototype pollution and choose one of the scan options:

Techniques

Multiple techniques are used to detect prototype pollution and are described in the PortSwigger blog post.

Contributions

Contributions and feature requests are welcome.

Installation

This extension requires Burp Suite 2021.9 or later. To install it, simply use the BApps tab in Burp.

Development

Linux: ./gradlew build fatjar

Windows: gradlew.bat build fatjar

Grab the output from build/libs/server-side-prototype-pollution-all.jar