Developers often mistakenly believe TypeScript's type safety provides runtime security, but it is a development-time tool that doesn't prevent real-world attacks.
Attackers can exploit how backends handle duplicate or malformed query parameters to cause unexpected behavior and bypass security checks.
Simple type definitions like `any`, explicit string casting, and even interfaces can be bypassed by sending array-like parameters, leading to vulnerabilities like cross-site scripting (XSS).
TypeScript checks are stripped out at compile time and have no effect on the running application, necessitating runtime validation techniques like type narrowing.
Even with a schema validation library like Zod, attackers can use specially crafted payloads with `__proto__` to pollute the global Object prototype and gain unauthorized privileges.
By default, Zod allows extra, undefined properties in an object, which can lead to mass assignment vulnerabilities when the object is passed to an ORM.
Popular libraries like object-path and the EJS templating engine have been vulnerable to parameter pollution, demonstrating how these attacks affect real applications.
Relying solely on TypeScript for security is like trusting 100% code coverage for bug-free code; it's a helpful tool but not a substitute for dedicated security practices.
31:13Stefan Baumgartner
58:19Michael Koppmann
29:44Jens Claes
29:17Marco Podien
26:59Jakub Andrzejewski
45:19Philippe De Ryck
28:41Alexander Pirker
30:54Martina Kraus
.png?w=240&auto=compress,format)
Jobs that call for the skills explored in this talk.
doinstruct Software GmbH
Berlin, Germany
Pflegecampus21 GmbH
GULP Information Services GmbH
GEBIT Solutions GmbH
Halvotec GmbH