Sonya Moisset

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Are you decoding URLs before or after normalizing paths? The wrong order can expose every file on your Node.js server.

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
#1about 3 minutes

Defining path traversal and its severe impact

Path traversal is a vulnerability where attackers exploit insufficient validation of user-supplied file names to access restricted files, leading to information exposure and vulnerability chaining.

#2about 3 minutes

Examining high-impact path traversal exploits in the wild

Major software like Zimbra and Apache HTTP Server have suffered from critical, unauthenticated path traversal vulnerabilities leading to widespread system compromise.

#3about 7 minutes

How URL encoding bypassed security in the `st` package

Attackers bypassed path normalization in the popular `st` NPM package using URL-encoded characters, a vulnerability fixed by first decoding the URI component and then normalizing the path.

#4about 5 minutes

Exfiltrating local files via a VS Code extension

The "Open in Default Browser" VS Code extension contained a path traversal flaw that allowed attackers to trick users into exfiltrating local files like SSH keys.

#5about 4 minutes

A critical path traversal flaw in the Node.js runtime

A specific version of the Node.js runtime had an improper path sanitization issue that made applications vulnerable to directory traversal by default.

#6about 3 minutes

Key takeaways and tools for preventing path traversal

Path traversal is an omnipresent risk that can be mitigated by understanding API function order and using automated security scanning tools directly in your IDE.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

How attackers exploit developers and packages
08:22 MIN

How attackers exploit developers and packages

Vue3 practical development

Common attacks targeting software developers
08:16 MIN

Common attacks targeting software developers

Vulnerable VS Code extensions are now at your front door

Why developers are a prime target for attackers
00:03 MIN

Why developers are a prime target for attackers

You click, you lose: a practical look at VSCode's security

Key takeaways on IDE and developer tool security
27:19 MIN

Key takeaways on IDE and developer tool security

You click, you lose: a practical look at VSCode's security

Exploiting path traversal in the Instant Markdown extension
20:46 MIN

Exploiting path traversal in the Instant Markdown extension

Vue3 practical development

Modern cybersecurity challenges for developers
15:35 MIN

Modern cybersecurity challenges for developers

Cyber Security: Small, and Large!

A historical parallel with the event-stream NPM hack
05:28 MIN

A historical parallel with the event-stream NPM hack

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

Demonstrating a supply chain attack using NPM hooks
10:37 MIN

Demonstrating a supply chain attack using NPM hooks

Hacking Kubernetes: Live Demo Marathon

Featured Partners

Related Videos

See all videos
You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Friend or Foe? TypeScript Security Fallacies27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Stranger Danger: Your Java Attack Surface Just Got Bigger1:58:59

Stranger Danger: Your Java Attack Surface Just Got Bigger

Vandana Verma Sehgal

Related Articles

View all articles
DC
Daniel Cranney
Understanding and Mitigating Common Web Vulnerabilities
Vulnerabilities exist in many forms on the web, and attackers continue to find creative ways to exploit them. Technological advances like the proliferation of AI are of course exciting nd filled with opportunities, they equally present opportunities ...
Understanding and Mitigating Common Web Vulnerabilities
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms
Inside last week’s Dev Digest 188 . 🤖 GitHub Copilot CLI is now in public review 💻 Microsoft is bringing ‘vibe working’ to office apps 🎣 Attackers abuse AI tools to generate captchas in fishing attacks ⚠️ When LLMs autonomously attack 🧠 Common cause...
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms

From learning to earning

Jobs that call for the skills explored in this talk.

Technical Team Lead-Node.JS

Technical Team Lead-Node.JS

K2 Partnering Solutions Ltd
Municipality of Valencia, Spain

Scrum
React
Node.js
TypeScript
Agile Methodologies
Node.js developer

Node.js developer

Spait Infotech Private Limited
Birmingham, United Kingdom

Remote
£30-90K
Junior
API
GIT
REST
+17
node.js Developer | Saas

node.js Developer | Saas

Haystack People
Zwanenburg, Netherlands

Intermediate
API
Scrum
Node.js
JavaScript
TypeScript
+2