Prototype Pollution Attacks in NodeJS Applications

Explore prototype pollution attacks in NodeJS applications through this informative conference talk. Delve into the concept of prototype pollution, its historical context, and its potential security implications. Learn about APIs that allow prototype pollution and the consequences of such attacks. Discover how an attacker could manipulate base object prototypes with malicious values. Gain insights from security researcher Olivier Arteau as he shares his expertise on this topic. Examine real-world examples, including vulnerabilities in Ghost CMS and Express HBS. Understand the challenges of preventing prototype pollution and strategies for mitigation. Cover key concepts such as constructors, prototypes, merge operations, and immutability. Enhance your knowledge of JavaScript security and improve your ability to identify and protect against prototype pollution vulnerabilities in NodeJS applications.

Introduction
Agenda
Prototypes
Constructor
Proto
Prototype pollution
Merge operation
Merge operation implementation
Clone
Path
Research
Ghost CMS
The biggest problem
The main page
Adding properties
Stop properties
Lazy loading
Template selection
Express HBS
Buzz
Corruption
Immutability