Developers often mistakenly believe TypeScript's type safety provides runtime security, but it is a development-time tool that doesn't prevent real-world attacks.
Attackers can exploit how backends handle duplicate or malformed query parameters to cause unexpected behavior and bypass security checks.
Simple type definitions like `any`, explicit string casting, and even interfaces can be bypassed by sending array-like parameters, leading to vulnerabilities like cross-site scripting (XSS).
TypeScript checks are stripped out at compile time and have no effect on the running application, necessitating runtime validation techniques like type narrowing.
Even with a schema validation library like Zod, attackers can use specially crafted payloads with `__proto__` to pollute the global Object prototype and gain unauthorized privileges.
By default, Zod allows extra, undefined properties in an object, which can lead to mass assignment vulnerabilities when the object is passed to an ORM.
Popular libraries like object-path and the EJS templating engine have been vulnerable to parameter pollution, demonstrating how these attacks affect real applications.
Relying solely on TypeScript for security is like trusting 100% code coverage for bug-free code; it's a helpful tool but not a substitute for dedicated security practices.
Sensory-Minds GmbH
Offenbach am Main, Germany
Hubert Burda Media
München, Germany
31:13Stefan Baumgartner
58:19Michael Koppmann
29:44Jens Claes
29:17Marco Podien
26:59Jakub Andrzejewski
45:19Philippe De Ryck
28:41Alexander Pirker
30:54Martina Kraus
Jobs that call for the skills explored in this talk.
Lead Forensics
Portsmouth, United Kingdom
Amazon.com, Inc.
Seattle, United States of America
Andrew Nguyen
CyberCoders
Boston, United States of America
24/7 Technology Ltd
Warrington, United Kingdom