Micah Silverman

Capture the Flag 101

It starts with a simple `curl` command and ends with a critical Prototype Pollution vulnerability. Learn to think like an attacker in this Capture the Flag introduction.

Capture the Flag 101
#1about 4 minutes

Introduction to developer-first security and CTFs

The concept of 'hack yourself' is introduced as a powerful way for developers to learn security principles by actively participating in challenges.

#2about 3 minutes

Understanding the purpose and benefits of CTF events

Capture the Flag events are cross-functional, team-based challenges designed to help developers learn about security vulnerabilities in a hands-on way.

#3about 2 minutes

Following the rules of engagement for a CTF

Effective participation in a CTF requires communication and collaboration, while avoiding spoilers or attacking the backend infrastructure.

#4about 2 minutes

Beginning the 'Invisible Ink' CTF challenge

The walkthrough begins by examining the challenge description, the target web application, and the provided source code files for initial clues.

#5about 6 minutes

Using curl for initial web application reconnaissance

The `curl` command is used to send GET and POST requests to the target URL, revealing how to correctly format requests with the proper content type.

#6about 1 minute

Scanning dependencies for vulnerabilities with the Snyk CLI

The Snyk CLI tool is used to scan the project's `package.json` file, which quickly identifies a known prototype pollution vulnerability in a dependency.

#7about 4 minutes

Explaining the prototype pollution vulnerability in JavaScript

Prototype pollution is a JavaScript-specific vulnerability that allows an attacker to modify an object's base prototype, injecting properties into every object in the application.

#8about 5 minutes

Analyzing source code to find the exploit vector

By examining the application's `index.js` file, the vulnerable `lodash.merge` function is identified as the entry point for the prototype pollution attack.

Related jobs
Jobs that call for the skills explored in this talk.

Machine Learning Engineer

Picnic Technologies B.V.

Picnic Technologies B.V.
Amsterdam, Netherlands

Intermediate
Senior
Python
Structured Query Language (SQL)
+1

Matching moments

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Making accessibility tooling actionable and encouraging
03:58 MIN

Making accessibility tooling actionable and encouraging

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Using AI to overcome challenges in systems programming
02:49 MIN

Using AI to overcome challenges in systems programming

AI in the Open and in Browsers - Tarek Ziadé

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Crypto crime, EU regulation, and working while you sleep
01:15 MIN

Crypto crime, EU regulation, and working while you sleep

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Improving the developer feedback loop with specialized tools
03:16 MIN

Improving the developer feedback loop with specialized tools

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Selecting strategic partners and essential event tools
03:17 MIN

Selecting strategic partners and essential event tools

Cat Herding with Lions and Tigers - Christian Heilmann

Playing a game of real or fake tech headlines
04:17 MIN

Playing a game of real or fake tech headlines

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Featured Partners

Related Videos

See all videos
Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Software Security 101: Secure Coding Basics1:58:48

Software Security 101: Secure Coding Basics

Thomas Konrad

Friend or Foe? TypeScript Security Fallacies27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

Real-World Security for Busy Developers29:50

Real-World Security for Busy Developers

Kevin Lewis

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Related Articles

View all articles
DC
Daniel Cranney
The CODE100 2025 Final Puzzle Explained
Europe’s Ultimate Coding Competition is in the books for another year! With this in mind, we sat down with our 2025 CODE100 Champion, Nimrod Kor, to look back on how he solved the puzzle in the final round to secure victory. The Challenge Our final ...
The CODE100 2025 Final Puzzle Explained
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms
Inside last week’s Dev Digest 188 . 🤖 GitHub Copilot CLI is now in public review 💻 Microsoft is bringing ‘vibe working’ to office apps 🎣 Attackers abuse AI tools to generate captchas in fishing attacks ⚠️ When LLMs autonomously attack 🧠 Common cause...
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms

From learning to earning

Jobs that call for the skills explored in this talk.