Sonya Moisset
Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
#1about 3 minutes
Defining path traversal and its severe impact
Path traversal is a vulnerability where attackers exploit insufficient validation of user-supplied file names to access restricted files, leading to information exposure and vulnerability chaining.
#2about 3 minutes
Examining high-impact path traversal exploits in the wild
Major software like Zimbra and Apache HTTP Server have suffered from critical, unauthenticated path traversal vulnerabilities leading to widespread system compromise.
#3about 7 minutes
How URL encoding bypassed security in the `st` package
Attackers bypassed path normalization in the popular `st` NPM package using URL-encoded characters, a vulnerability fixed by first decoding the URI component and then normalizing the path.
#4about 5 minutes
Exfiltrating local files via a VS Code extension
The "Open in Default Browser" VS Code extension contained a path traversal flaw that allowed attackers to trick users into exfiltrating local files like SSH keys.
#5about 4 minutes
A critical path traversal flaw in the Node.js runtime
A specific version of the Node.js runtime had an improper path sanitization issue that made applications vulnerable to directory traversal by default.
#6about 3 minutes
Key takeaways and tools for preventing path traversal
Path traversal is an omnipresent risk that can be mitigated by understanding API function order and using automated security scanning tools directly in your IDE.
Related jobs
Jobs that call for the skills explored in this talk.
Hubert Burda Media
München, Germany
€80-95K
Intermediate
Senior
JavaScript
Node.js
+1
Matching moments
05:01 MIN
Comparing the security models of browsers and native apps
Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof
01:06 MIN
Malware campaigns, cloud latency, and government IT theft
Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre
03:31 MIN
The value of progressive enhancement and semantic HTML
WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More
09:38 MIN
Technical challenges of shipping a cross-platform browser
Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof
11:32 MIN
The industry's focus on frameworks over web fundamentals
WeAreDevelopers LIVE – Frontend Inspirations, Web Standards and more
02:33 MIN
Why you might not need JavaScript for everything
WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More
07:39 MIN
Prompt injection as an unsolved AI security problem
AI in the Open and in Browsers - Tarek Ziadé
05:55 MIN
The security risks of AI-generated code and slopsquatting
Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2
Featured Partners
Related Videos
29:47You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste
44:11Vulnerable VS Code extensions are now at your front door
Raul Onitza-Klugman & Kirill Efimov
28:41101 Typical Security Pitfalls
Alexander Pirker
26:59Security in modern Web Applications - OWASP to the rescue!
Jakub Andrzejewski
30:54Cross Site Scripting is yesterday's news, isn't it?
Martina Kraus
1:58:59Stranger Danger: Your Java Attack Surface Just Got Bigger
Vandana Verma Sehgal
43:57Oops! Stories of supply chain shenanigans
Zbyszek Tenerowicz
27:41Friend or Foe? TypeScript Security Fallacies
Liran Tal
Related Articles
View all articles
From learning to earning
Jobs that call for the skills explored in this talk.
aXite Security Tools
Amsterdam, Netherlands
Node.js
Angular
JavaScript
TechBiz Global GmbH
REST
Docker
Node.js
JavaScript
Continuous Integration
Ninedots
Python
CircleCI
Amazon Web Services (AWS)