Liran Tal

Friend or Foe? TypeScript Security Fallacies

Is TypeScript's type safety giving you a false sense of security? Learn how attackers use prototype pollution and mass assignment to bypass your defenses.

Friend or Foe? TypeScript Security Fallacies
#1about 2 minutes

The common misconception of TypeScript as a security tool

Developers often mistakenly believe TypeScript's type safety provides runtime security, but it is a development-time tool that doesn't prevent real-world attacks.

#2about 3 minutes

How HTTP parameter pollution creates ambiguity

Attackers can exploit how backends handle duplicate or malformed query parameters to cause unexpected behavior and bypass security checks.

#3about 5 minutes

Bypassing TypeScript types and interfaces with type juggling

Simple type definitions like `any`, explicit string casting, and even interfaces can be bypassed by sending array-like parameters, leading to vulnerabilities like cross-site scripting (XSS).

#4about 3 minutes

Why TypeScript is a dev-time tool, not a runtime guardrail

TypeScript checks are stripped out at compile time and have no effect on the running application, necessitating runtime validation techniques like type narrowing.

#5about 7 minutes

Exploiting prototype pollution to bypass Zod schema validation

Even with a schema validation library like Zod, attackers can use specially crafted payloads with `__proto__` to pollute the global Object prototype and gain unauthorized privileges.

#6about 2 minutes

Using mass assignment to bypass Zod's default behavior

By default, Zod allows extra, undefined properties in an object, which can lead to mass assignment vulnerabilities when the object is passed to an ORM.

#7about 2 minutes

Real-world examples of parameter pollution vulnerabilities

Popular libraries like object-path and the EJS templating engine have been vulnerable to parameter pollution, demonstrating how these attacks affect real applications.

#8about 2 minutes

Why TypeScript is like code coverage, not a security guarantee

Relying solely on TypeScript for security is like trusting 100% code coverage for bug-free code; it's a helpful tool but not a substitute for dedicated security practices.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Applying typed security to OWASP vulnerabilities
01:42 MIN

Applying typed security to OWASP vulnerabilities

Typed Security: Preventing Vulnerabilities By Design

The hidden dangers in everyday TypeScript code
01:39 MIN

The hidden dangers in everyday TypeScript code

Lies we Tell Ourselves As Developers

Evaluating the strengths and limitations of TypeScript
04:07 MIN

Evaluating the strengths and limitations of TypeScript

Don't compromise on speedy delivery nor type-safety by choosing TypeScript

Why developers make basic cybersecurity mistakes
02:26 MIN

Why developers make basic cybersecurity mistakes

Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes

Understanding the power and popularity of TypeScript
02:11 MIN

Understanding the power and popularity of TypeScript

End-to-End TypeScript: Completing the Modern Development Stack

Understanding TypeScript's origins and role in scalability
02:37 MIN

Understanding TypeScript's origins and role in scalability

All you need is types

Using Trusted Types in development to secure all browsers
04:30 MIN

Using Trusted Types in development to secure all browsers

Securing Frontend Applications with Trusted Types

The future of XSS prevention with Trusted Types
02:15 MIN

The future of XSS prevention with Trusted Types

A Primer in Single Page Application Security (Angular, React, Vue.js)

Featured Partners

Related Videos

See all videos
Lies we Tell Ourselves As Developers31:13

Lies we Tell Ourselves As Developers

Stefan Baumgartner

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Don't compromise on speedy delivery nor type-safety by choosing TypeScript29:44

Don't compromise on speedy delivery nor type-safety by choosing TypeScript

Jens Claes

End-to-End TypeScript: Completing the Modern Development Stack29:17

End-to-End TypeScript: Completing the Modern Development Stack

Marco Podien

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Securing Frontend Applications with Trusted Types45:19

Securing Frontend Applications with Trusted Types

Philippe De Ryck

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Exploring TypeScript: Benefits for Large-Scale JavaScript Projects
JavaScript is the backbone of web development, powering everything from small websites to large-scale enterprise applications. However, as projects grow in complexity, maintaining JavaScript code can become increasingly difficult. This is where TypeS...
Exploring TypeScript: Benefits for Large-Scale JavaScript Projects
DC
Daniel Cranney
Dev Digest 206: X Algorithm, Super Monkey Ball, Moltbot vs. Security
Inside last week’s Dev Digest 206 . 👀 How X chooses what you see 🟨 Building a JavaScript runtime in a month and a browser API in one shot 🔲 JavaScript frameworks heading into 2026 ⚠️ AI is getting better at detecting security issues 🔓 Moltbot is a s...
Dev Digest 206: X Algorithm, Super Monkey Ball, Moltbot vs. Security
DC
Daniel Cranney
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
Inside last week’s Dev Digest 198 . 🎂 30 years of JavaScript ⏰ How long is a JavaScript second 💻 Clean code in Angular 🤦‍♂️ AI makes different mistakes than humans 👨‍💻 In-browser and offline AI 🟠 Undocumented Hacker News features 🐋 DeepSeek censored...
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI

From learning to earning

Jobs that call for the skills explored in this talk.