Liran Tal

Friend or Foe? TypeScript Security Fallacies

Is TypeScript's type safety giving you a false sense of security? Learn how attackers use prototype pollution and mass assignment to bypass your defenses.

Friend or Foe? TypeScript Security Fallacies
#1about 2 minutes

The common misconception of TypeScript as a security tool

Developers often mistakenly believe TypeScript's type safety provides runtime security, but it is a development-time tool that doesn't prevent real-world attacks.

#2about 3 minutes

How HTTP parameter pollution creates ambiguity

Attackers can exploit how backends handle duplicate or malformed query parameters to cause unexpected behavior and bypass security checks.

#3about 5 minutes

Bypassing TypeScript types and interfaces with type juggling

Simple type definitions like `any`, explicit string casting, and even interfaces can be bypassed by sending array-like parameters, leading to vulnerabilities like cross-site scripting (XSS).

#4about 3 minutes

Why TypeScript is a dev-time tool, not a runtime guardrail

TypeScript checks are stripped out at compile time and have no effect on the running application, necessitating runtime validation techniques like type narrowing.

#5about 7 minutes

Exploiting prototype pollution to bypass Zod schema validation

Even with a schema validation library like Zod, attackers can use specially crafted payloads with `__proto__` to pollute the global Object prototype and gain unauthorized privileges.

#6about 2 minutes

Using mass assignment to bypass Zod's default behavior

By default, Zod allows extra, undefined properties in an object, which can lead to mass assignment vulnerabilities when the object is passed to an ORM.

#7about 2 minutes

Real-world examples of parameter pollution vulnerabilities

Popular libraries like object-path and the EJS templating engine have been vulnerable to parameter pollution, demonstrating how these attacks affect real applications.

#8about 2 minutes

Why TypeScript is like code coverage, not a security guarantee

Relying solely on TypeScript for security is like trusting 100% code coverage for bug-free code; it's a helpful tool but not a substitute for dedicated security practices.

Related jobs
Jobs that call for the skills explored in this talk.

test

Milly
Vienna, Austria

Intermediate

test

Milly
Vienna, Austria

Intermediate

Matching moments

Applying typed security to OWASP vulnerabilities
21:01 MIN

Applying typed security to OWASP vulnerabilities

Typed Security: Preventing Vulnerabilities By Design

The hidden dangers in everyday TypeScript code
03:37 MIN

The hidden dangers in everyday TypeScript code

Lies we Tell Ourselves As Developers

Evaluating the strengths and limitations of TypeScript
38:46 MIN

Evaluating the strengths and limitations of TypeScript

Don't compromise on speedy delivery nor type-safety by choosing TypeScript

Why developers make basic cybersecurity mistakes
00:28 MIN

Why developers make basic cybersecurity mistakes

Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes

Understanding the power and popularity of TypeScript
00:57 MIN

Understanding the power and popularity of TypeScript

End-to-End TypeScript: Completing the Modern Development Stack

Understanding TypeScript's origins and role in scalability
00:51 MIN

Understanding TypeScript's origins and role in scalability

All you need is types

Using Trusted Types in development to secure all browsers
20:55 MIN

Using Trusted Types in development to secure all browsers

Securing Frontend Applications with Trusted Types

The future of XSS prevention with Trusted Types
24:43 MIN

The future of XSS prevention with Trusted Types

A Primer in Single Page Application Security (Angular, React, Vue.js)

Featured Partners

Related Videos

See all videos
Lies we Tell Ourselves As Developers31:13

Lies we Tell Ourselves As Developers

Stefan Baumgartner

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Don't compromise on speedy delivery nor type-safety by choosing TypeScript29:44

Don't compromise on speedy delivery nor type-safety by choosing TypeScript

Jens Claes

End-to-End TypeScript: Completing the Modern Development Stack29:17

End-to-End TypeScript: Completing the Modern Development Stack

Marco Podien

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Securing Frontend Applications with Trusted Types45:19

Securing Frontend Applications with Trusted Types

Philippe De Ryck

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
TL
Thomas Limbüchler
What is TypeScript?
Since Angular 2 at the latest, TypeScript has been known to many. But what exactly can you do with it, and is it worth changing?Anyone who has worked with programming languages ​​such as Java or C# before will have noticed that JavaScript allows a su...
What is TypeScript?
Dev Digest 105 - Security First
Last Friday's Dev Digest was mostly about security and game topics, so let's take a look what you didn't get in your inbox. We also covered some brand new online courses to get started as a developer or refresh your knowledge. And we wrapped up CODE1...
Dev Digest 105 - Security First
CH
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security

From learning to earning

Jobs that call for the skills explored in this talk.