Proposed by: Hamdaan Ali
JavaScript Security: Defending against Prototype Pollution Attacks
Prototype pollution is a security vulnerability in JavaScript that allows malicious actors to introduce arbitrary properties into global object prototypes. This may lead to Denial of Service (DoS), Session Fixation, Security Bypass Checks, SQL and NoSQL Injections, and Remote Code execution.
In this talk, we'll first understand the JavaScript Inheritance model and how the prototype functions in JavaScript. We will then understand what Prototype Pollution is and how Prototype Pollution works with the help of a live demonstration. Finally, we will explore ways to defend our application against Prototype Pollution attacks in the same demonstration.
This talk is based on my blog: https://javascript.plainenglish.io/javascript-security-defending-against-prototype-pollution-attacks-e61a49f259c5
And I've delivered it at Devfest 2023 by GDG Hubli: https://gdg.community.dev/events/details/google-gdg-hubli-presents-devfest-hubli-2023/
Here's my slide deck: https://docs.google.com/presentation/d/1LCSzwkvYU0saR5Zu_0Rt86Y_orumg4Lw/edit?usp=sharing&ouid=103876630603325091987&rtpof=true&sd=true
There are live demonstrations after each slide and a sample application at the end to demonstrate Prototype Pollution in Action and ways to fix it live.
I first encountered Prototype Pollution while working at Skugal on an API using Express. I realized how security for developers is so less talked about. I decided to write these blogs and talks to enlighten folks and at the same time highlight how important it is for developers to take care of the security aspects of development in a world where we only talk about speed and scalability.
Source code/Reference: https://gdg.community.dev/events/details/google-gdg-hubli-presents-devfest-hubli-2023/
Talk duration: