Overview
Explore a DEF CON 31 conference talk that delves into the critical security implications of Prototype Pollution vulnerabilities in JavaScript applications, focusing specifically on how they can lead to Remote Code Execution (RCE) in NodeJS. Learn how attackers can inject properties into object prototypes to alter program flow beyond simple denial of service attacks, with researchers discovering exploitable gadgets throughout Node.js core code and popular NPM packages. Understand the findings from an extensive analysis of 15 popular Node.js applications that revealed 8 RCE vulnerabilities, and discover how recent Node.js updates are addressing these security concerns. Master the technical details of detected gadgets and vulnerabilities while gaining insights into the broader implications for JavaScript application security.
Syllabus
DEF CON 31 - Prototype Pollution Leads to Remote Code Execution in NodeJS - Shcherbakov, Balliu
Taught by
DEFCONConference