Liran Tal

Friend or Foe? TypeScript Security Fallacies

Is TypeScript's type safety giving you a false sense of security? Learn how attackers use prototype pollution and mass assignment to bypass your defenses.

Friend or Foe? TypeScript Security Fallacies
#1about 2 minutes

The common misconception of TypeScript as a security tool

Developers often mistakenly believe TypeScript's type safety provides runtime security, but it is a development-time tool that doesn't prevent real-world attacks.

#2about 3 minutes

How HTTP parameter pollution creates ambiguity

Attackers can exploit how backends handle duplicate or malformed query parameters to cause unexpected behavior and bypass security checks.

#3about 5 minutes

Bypassing TypeScript types and interfaces with type juggling

Simple type definitions like `any`, explicit string casting, and even interfaces can be bypassed by sending array-like parameters, leading to vulnerabilities like cross-site scripting (XSS).

#4about 3 minutes

Why TypeScript is a dev-time tool, not a runtime guardrail

TypeScript checks are stripped out at compile time and have no effect on the running application, necessitating runtime validation techniques like type narrowing.

#5about 7 minutes

Exploiting prototype pollution to bypass Zod schema validation

Even with a schema validation library like Zod, attackers can use specially crafted payloads with `__proto__` to pollute the global Object prototype and gain unauthorized privileges.

#6about 2 minutes

Using mass assignment to bypass Zod's default behavior

By default, Zod allows extra, undefined properties in an object, which can lead to mass assignment vulnerabilities when the object is passed to an ORM.

#7about 2 minutes

Real-world examples of parameter pollution vulnerabilities

Popular libraries like object-path and the EJS templating engine have been vulnerable to parameter pollution, demonstrating how these attacks affect real applications.

#8about 2 minutes

Why TypeScript is like code coverage, not a security guarantee

Relying solely on TypeScript for security is like trusting 100% code coverage for bug-free code; it's a helpful tool but not a substitute for dedicated security practices.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

The value of progressive enhancement and semantic HTML
03:31 MIN

The value of progressive enhancement and semantic HTML

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Why you might not need JavaScript for everything
02:33 MIN

Why you might not need JavaScript for everything

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Prompt injection as an unsolved AI security problem
07:39 MIN

Prompt injection as an unsolved AI security problem

AI in the Open and in Browsers - Tarek Ziadé

Using AI to overcome challenges in systems programming
02:49 MIN

Using AI to overcome challenges in systems programming

AI in the Open and in Browsers - Tarek Ziadé

The industry's focus on frameworks over web fundamentals
11:32 MIN

The industry's focus on frameworks over web fundamentals

WeAreDevelopers LIVE – Frontend Inspirations, Web Standards and more

Featured Partners

Related Videos

See all videos
Lies we Tell Ourselves As Developers31:13

Lies we Tell Ourselves As Developers

Stefan Baumgartner

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Don't compromise on speedy delivery nor type-safety by choosing TypeScript29:44

Don't compromise on speedy delivery nor type-safety by choosing TypeScript

Jens Claes

End-to-End TypeScript: Completing the Modern Development Stack29:17

End-to-End TypeScript: Completing the Modern Development Stack

Marco Podien

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Securing Frontend Applications with Trusted Types45:19

Securing Frontend Applications with Trusted Types

Philippe De Ryck

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Exploring TypeScript: Benefits for Large-Scale JavaScript Projects
JavaScript is the backbone of web development, powering everything from small websites to large-scale enterprise applications. However, as projects grow in complexity, maintaining JavaScript code can become increasingly difficult. This is where TypeS...
Exploring TypeScript: Benefits for Large-Scale JavaScript Projects
DC
Daniel Cranney
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
Inside last week’s Dev Digest 198 . 🎂 30 years of JavaScript ⏰ How long is a JavaScript second 💻 Clean code in Angular 🤦‍♂️ AI makes different mistakes than humans 👨‍💻 In-browser and offline AI 🟠 Undocumented Hacker News features 🐋 DeepSeek censored...
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI

From learning to earning

Jobs that call for the skills explored in this talk.