Micah Silverman

Capture the Flag 101

It starts with a simple `curl` command and ends with a critical Prototype Pollution vulnerability. Learn to think like an attacker in this Capture the Flag introduction.

Capture the Flag 101
#1about 4 minutes

Introduction to developer-first security and CTFs

The concept of 'hack yourself' is introduced as a powerful way for developers to learn security principles by actively participating in challenges.

#2about 3 minutes

Understanding the purpose and benefits of CTF events

Capture the Flag events are cross-functional, team-based challenges designed to help developers learn about security vulnerabilities in a hands-on way.

#3about 2 minutes

Following the rules of engagement for a CTF

Effective participation in a CTF requires communication and collaboration, while avoiding spoilers or attacking the backend infrastructure.

#4about 2 minutes

Beginning the 'Invisible Ink' CTF challenge

The walkthrough begins by examining the challenge description, the target web application, and the provided source code files for initial clues.

#5about 6 minutes

Using curl for initial web application reconnaissance

The `curl` command is used to send GET and POST requests to the target URL, revealing how to correctly format requests with the proper content type.

#6about 1 minute

Scanning dependencies for vulnerabilities with the Snyk CLI

The Snyk CLI tool is used to scan the project's `package.json` file, which quickly identifies a known prototype pollution vulnerability in a dependency.

#7about 4 minutes

Explaining the prototype pollution vulnerability in JavaScript

Prototype pollution is a JavaScript-specific vulnerability that allows an attacker to modify an object's base prototype, injecting properties into every object in the application.

#8about 5 minutes

Analyzing source code to find the exploit vector

By examining the application's `index.js` file, the vulnerable `lodash.merge` function is identified as the entry point for the prototype pollution attack.

Related jobs
Jobs that call for the skills explored in this talk.

Machine Learning Engineer

Picnic Technologies B.V.

Picnic Technologies B.V.
Amsterdam, Netherlands

Intermediate
Senior
Python
Structured Query Language (SQL)
+1

Matching moments

Using AI to overcome challenges in systems programming
02:49 MIN

Using AI to overcome challenges in systems programming

AI in the Open and in Browsers - Tarek Ziadé

Selecting strategic partners and essential event tools
03:17 MIN

Selecting strategic partners and essential event tools

Cat Herding with Lions and Tigers - Christian Heilmann

The challenge of keeping up with modern CSS
07:46 MIN

The challenge of keeping up with modern CSS

WeAreDevelopers LIVE – AI, Freelancing, Keeping Up with Tech and More

Prompt injection as an unsolved AI security problem
07:39 MIN

Prompt injection as an unsolved AI security problem

AI in the Open and in Browsers - Tarek Ziadé

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

The security challenges of building AI browser agents
06:33 MIN

The security challenges of building AI browser agents

AI in the Open and in Browsers - Tarek Ziadé

The industry's focus on frameworks over web fundamentals
11:32 MIN

The industry's focus on frameworks over web fundamentals

WeAreDevelopers LIVE – Frontend Inspirations, Web Standards and more

Using content channels to build an event community
04:49 MIN

Using content channels to build an event community

Cat Herding with Lions and Tigers - Christian Heilmann

Featured Partners

Related Videos

See all videos
Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Software Security 101: Secure Coding Basics1:58:48

Software Security 101: Secure Coding Basics

Thomas Konrad

Friend or Foe? TypeScript Security Fallacies27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Related Articles

View all articles
DC
Daniel Cranney
The CODE100 2025 Final Puzzle Explained
Europe’s Ultimate Coding Competition is in the books for another year! With this in mind, we sat down with our 2025 CODE100 Champion, Nimrod Kor, to look back on how he solved the puzzle in the final round to secure victory. The Challenge Our final ...
The CODE100 2025 Final Puzzle Explained
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms
Inside last week’s Dev Digest 188 . 🤖 GitHub Copilot CLI is now in public review 💻 Microsoft is bringing ‘vibe working’ to office apps 🎣 Attackers abuse AI tools to generate captchas in fishing attacks ⚠️ When LLMs autonomously attack 🧠 Common cause...
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms

From learning to earning

Jobs that call for the skills explored in this talk.