Sonya Moisset
Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
#1about 3 minutes
Defining path traversal and its severe impact
Path traversal is a vulnerability where attackers exploit insufficient validation of user-supplied file names to access restricted files, leading to information exposure and vulnerability chaining.
#2about 3 minutes
Examining high-impact path traversal exploits in the wild
Major software like Zimbra and Apache HTTP Server have suffered from critical, unauthenticated path traversal vulnerabilities leading to widespread system compromise.
#3about 7 minutes
How URL encoding bypassed security in the `st` package
Attackers bypassed path normalization in the popular `st` NPM package using URL-encoded characters, a vulnerability fixed by first decoding the URI component and then normalizing the path.
#4about 5 minutes
Exfiltrating local files via a VS Code extension
The "Open in Default Browser" VS Code extension contained a path traversal flaw that allowed attackers to trick users into exfiltrating local files like SSH keys.
#5about 4 minutes
A critical path traversal flaw in the Node.js runtime
A specific version of the Node.js runtime had an improper path sanitization issue that made applications vulnerable to directory traversal by default.
#6about 3 minutes
Key takeaways and tools for preventing path traversal
Path traversal is an omnipresent risk that can be mitigated by understanding API function order and using automated security scanning tools directly in your IDE.
Related jobs
Jobs that call for the skills explored in this talk.
Hubert Burda Media
München, Germany
€80-95K
Intermediate
Senior
JavaScript
Node.js
+1
tree-IT GmbH
Bad Neustadt an der Saale, Germany
€54-80K
Intermediate
Senior
Java
TypeScript
+1
Matching moments
03:17 MIN
Selecting strategic partners and essential event tools
Cat Herding with Lions and Tigers - Christian Heilmann
01:32 MIN
Organizing a developer conference for 15,000 attendees
Cat Herding with Lions and Tigers - Christian Heilmann
04:49 MIN
Using content channels to build an event community
Cat Herding with Lions and Tigers - Christian Heilmann
04:57 MIN
Increasing the value of talk recordings post-event
Cat Herding with Lions and Tigers - Christian Heilmann
02:54 MIN
Automating video post-production with local scripts
Cat Herding with Lions and Tigers - Christian Heilmann
03:38 MIN
Balancing the trade-off between efficiency and resilience
What 2025 Taught Us: A Year-End Special with Hung Lee
04:57 MIN
Developing resilience by expanding your capacity for failure
What 2025 Taught Us: A Year-End Special with Hung Lee
04:22 MIN
Why HR struggles with technology implementation and adoption
What 2025 Taught Us: A Year-End Special with Hung Lee
Featured Partners
Related Videos
44:11Vulnerable VS Code extensions are now at your front door
Raul Onitza-Klugman & Kirill Efimov
29:47You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste
28:41101 Typical Security Pitfalls
Alexander Pirker
26:59Security in modern Web Applications - OWASP to the rescue!
Jakub Andrzejewski
30:54Cross Site Scripting is yesterday's news, isn't it?
Martina Kraus
1:58:59Stranger Danger: Your Java Attack Surface Just Got Bigger
Vandana Verma Sehgal
43:57Oops! Stories of supply chain shenanigans
Zbyszek Tenerowicz
27:41Friend or Foe? TypeScript Security Fallacies
Liran Tal
Related Articles
View all articles
From learning to earning
Jobs that call for the skills explored in this talk.
Haystack People
Zwanenburg, Netherlands
Intermediate
API
Scrum
Node.js
JavaScript
TypeScript
+2
SMARTCORE AG
Barcelona, Spain
Remote
Intermediate
Go
Java
Redis
Kafka
+7
SMARTCORE AG
Municipality of Madrid, Spain
Remote
Intermediate
Go
Java
Redis
Kafka
+7
Ninedots
Python
CircleCI
Amazon Web Services (AWS)