Exfiltrating sensitive data via server-side prototype pollution - Lab#10

In this video I walkthrough the “Exfiltrating sensitive data via server-side prototype pollution” lab from PortSwigger Web Security Academy. This lab demonstrates how unsafe object merging on a Node.js/Express server can lead to server-side prototype pollution, which — in certain server configurations — can be escalated into remote command execution and data exfiltration. 🎯 What I cover (high level): How to find the sources that allow Object.prototype pollution. Identifying server-side gadget patterns that may enable command execution. How exfiltration can be performed to an external OOB (out-of-band) service such as Burp Collaborator. How to safely confirm the vulnerability and extract the target secret. ⚠️ Important — Ethical & legal notice This video is a lab walkthrough for educational purposes only, performed in an authorized, controlled environment. Do not attempt these techniques against real systems you do not own or have explicit permission to test. Always follow responsible disclosure and legal guidelines. ✅ Learning goals By watching you’ll better understand why server-side prototype pollution is a critical server vulnerability, how it can lead to severe impacts (including RCE and data theft) in poorly configured environments, and how defenders can look for, mitigate, and responsibly report these issues. If you found this useful, please like, comment, and subscribe for more hands-on security labs and responsible exploitation walkthroughs. #PrototypePollution #ServerSideSecurity #NodeJS #ExpressJS #DataExfiltration #BurpCollaborator #WebSecurity #PortSwigger #WebSecurityAcademy #BugBounty #EthicalHacking #CyberSecurity #InfoSec #PenTesting #SecurityResearch