Sonya Moisset
Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
#1about 3 minutes
Defining path traversal and its severe impact
Path traversal is a vulnerability where attackers exploit insufficient validation of user-supplied file names to access restricted files, leading to information exposure and vulnerability chaining.
#2about 3 minutes
Examining high-impact path traversal exploits in the wild
Major software like Zimbra and Apache HTTP Server have suffered from critical, unauthenticated path traversal vulnerabilities leading to widespread system compromise.
#3about 7 minutes
How URL encoding bypassed security in the `st` package
Attackers bypassed path normalization in the popular `st` NPM package using URL-encoded characters, a vulnerability fixed by first decoding the URI component and then normalizing the path.
#4about 5 minutes
Exfiltrating local files via a VS Code extension
The "Open in Default Browser" VS Code extension contained a path traversal flaw that allowed attackers to trick users into exfiltrating local files like SSH keys.
#5about 4 minutes
A critical path traversal flaw in the Node.js runtime
A specific version of the Node.js runtime had an improper path sanitization issue that made applications vulnerable to directory traversal by default.
#6about 3 minutes
Key takeaways and tools for preventing path traversal
Path traversal is an omnipresent risk that can be mitigated by understanding API function order and using automated security scanning tools directly in your IDE.
Related jobs
Jobs that call for the skills explored in this talk.
Sensory-Minds GmbH
Offenbach am Main, Germany
Remote
Senior
JavaScript
Node.js
+3
Hubert Burda Media
München, Germany
€80-95K
Intermediate
Senior
JavaScript
Node.js
+1
Matching moments
03:40 MIN
Analyzing the sophisticated Axios NPM supply chain attack
WeAreDevelopers LIVE - Bitpanda’s AI First Approach
05:43 MIN
How attackers exploit developers and packages
Vue3 practical development
05:49 MIN
Common attacks targeting software developers
Vulnerable VS Code extensions are now at your front door
03:51 MIN
Understanding NPM post-install security vulnerabilities
WeAreDevelopers LIVE - 11ty and a11y
02:39 MIN
How developers can become malware distribution vehicles
Stranger Danger: Your Java Attack Surface Just Got Bigger
03:17 MIN
Exploring specific web vulnerabilities and filtering issues
WeAreDevelopers LIVE - Chrome for Sale? Comet - the upcoming perplexity browser Stealing and leaking
03:36 MIN
Developers as an unintentional malware distribution vehicle
Walking into the era of Supply Chain Risks
04:54 MIN
Why developers are a prime target for attackers
You click, you lose: a practical look at VSCode's security
Featured Partners
Related Videos
29:47You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste
30:54Cross Site Scripting is yesterday's news, isn't it?
Martina Kraus
44:11Vulnerable VS Code extensions are now at your front door
Raul Onitza-Klugman & Kirill Efimov
28:41101 Typical Security Pitfalls
Alexander Pirker
26:59Security in modern Web Applications - OWASP to the rescue!
Jakub Andrzejewski
27:41Friend or Foe? TypeScript Security Fallacies
Liran Tal
37:36Walking into the era of Supply Chain Risks
Vandana Verma
1:58:59Stranger Danger: Your Java Attack Surface Just Got Bigger
Vandana Verma Sehgal
Related Articles
View all articles
From learning to earning
Jobs that call for the skills explored in this talk.
aXite Security Tools
Amsterdam, Netherlands
Node.js
Angular
JavaScript
Punk Security Ltd.
Remote
£30-40K
Junior
Go
Java
.NET
+9
Rapid7
Remote
Intermediate