Liran Tal

Friend or Foe? TypeScript Security Fallacies

Is TypeScript's type safety giving you a false sense of security? Learn how attackers use prototype pollution and mass assignment to bypass your defenses.

Friend or Foe? TypeScript Security Fallacies
#1about 2 minutes

The common misconception of TypeScript as a security tool

Developers often mistakenly believe TypeScript's type safety provides runtime security, but it is a development-time tool that doesn't prevent real-world attacks.

#2about 3 minutes

How HTTP parameter pollution creates ambiguity

Attackers can exploit how backends handle duplicate or malformed query parameters to cause unexpected behavior and bypass security checks.

#3about 5 minutes

Bypassing TypeScript types and interfaces with type juggling

Simple type definitions like `any`, explicit string casting, and even interfaces can be bypassed by sending array-like parameters, leading to vulnerabilities like cross-site scripting (XSS).

#4about 3 minutes

Why TypeScript is a dev-time tool, not a runtime guardrail

TypeScript checks are stripped out at compile time and have no effect on the running application, necessitating runtime validation techniques like type narrowing.

#5about 7 minutes

Exploiting prototype pollution to bypass Zod schema validation

Even with a schema validation library like Zod, attackers can use specially crafted payloads with `__proto__` to pollute the global Object prototype and gain unauthorized privileges.

#6about 2 minutes

Using mass assignment to bypass Zod's default behavior

By default, Zod allows extra, undefined properties in an object, which can lead to mass assignment vulnerabilities when the object is passed to an ORM.

#7about 2 minutes

Real-world examples of parameter pollution vulnerabilities

Popular libraries like object-path and the EJS templating engine have been vulnerable to parameter pollution, demonstrating how these attacks affect real applications.

#8about 2 minutes

Why TypeScript is like code coverage, not a security guarantee

Relying solely on TypeScript for security is like trusting 100% code coverage for bug-free code; it's a helpful tool but not a substitute for dedicated security practices.

Related jobs
Jobs that call for the skills explored in this talk.

Angular Developer

Picnic Technologies B.V.
Amsterdam, Netherlands

Intermediate
Senior

Matching moments

Applying typed security to OWASP vulnerabilities
21:01 MIN

Applying typed security to OWASP vulnerabilities

Typed Security: Preventing Vulnerabilities By Design

Evaluating the strengths and limitations of TypeScript
38:46 MIN

Evaluating the strengths and limitations of TypeScript

Don't compromise on speedy delivery nor type-safety by choosing TypeScript

Why developers make basic cybersecurity mistakes
00:28 MIN

Why developers make basic cybersecurity mistakes

Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes

The future of XSS prevention with Trusted Types
24:43 MIN

The future of XSS prevention with Trusted Types

A Primer in Single Page Application Security (Angular, React, Vue.js)

Why TypeScript is essential for building large applications
22:24 MIN

Why TypeScript is essential for building large applications

Building a large, complex product from the ground up with typescript & Atomic Design:lessons learned

Key takeaways on IDE and developer tool security
27:19 MIN

Key takeaways on IDE and developer tool security

You click, you lose: a practical look at VSCode's security

Q&A on type systems and legacy code
41:25 MIN

Q&A on type systems and legacy code

Typed Security: Preventing Vulnerabilities By Design

How to convince your team to adopt TypeScript
30:50 MIN

How to convince your team to adopt TypeScript

4 Steps from JavaScript to TypeScript

Featured Partners

Related Videos

See all videos
Lies we Tell Ourselves As Developers31:13

Lies we Tell Ourselves As Developers

Stefan Baumgartner

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Don't compromise on speedy delivery nor type-safety by choosing TypeScript29:44

Don't compromise on speedy delivery nor type-safety by choosing TypeScript

Jens Claes

End-to-End TypeScript: Completing the Modern Development Stack29:17

End-to-End TypeScript: Completing the Modern Development Stack

Marco Podien

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Securing Frontend Applications with Trusted Types45:19

Securing Frontend Applications with Trusted Types

Philippe De Ryck

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

From learning to earning

Jobs that call for the skills explored in this talk.