Olivier Arteau -- Prototype pollution attacks in NodeJS applications

Prototype pollution is a term that was coined many years ago in the JavaScript community to designate libraries that added extension methods to the prototype of base objects like "Object", "String" or "Function". This was very rapidly considered a bad practice as it introduced unexpected behavior in applications. In this presentation, we will analyze the problem of prototype pollution from a different angle. What if an attacker could pollute the prototype of the base object with his own value? What APIs allow such pollution? What can be done with it? -- Olivier Arteau is a security researcher that works for a large financial institution. In his early day, he was a web developer and transitioned into the security field during his university. He gave in the last few years a good amount of workshop for the usergroup MontreHack and is also part of the organization of a few CTF (Mini-CTF OWASP and NorthSec).

Join Today
Prototype Pollution Leads to RCE: Gadgets Everywhere
▶︎

Prototype Pollution Leads to RCE: Gadgets Everywhere

Passive-ish Recon Techniques by Tom Hudson
▶︎

Passive-ish Recon Techniques by Tom Hudson

How Does Prototype Pollution Actually Work?
▶︎

How Does Prototype Pollution Actually Work?

James Kettle - Backslash Powered Scanning: Implementing Human Intuition
▶︎

James Kettle - Backslash Powered Scanning: Implementing Human Intuition

Writing Secure Node Code: Understanding and Avoiding the Most Common Node.js Security Mistakes
▶︎

Writing Secure Node Code: Understanding and Avoiding the Most Common Node.js Security Mistakes

Martijn Grooten -- Getting ahead of the elliptic curve
▶︎

Martijn Grooten -- Getting ahead of the elliptic curve

Practical Web Cache Poisoning: Redefining 'Unexploitable'
▶︎

Practical Web Cache Poisoning: Redefining 'Unexploitable'

Understanding JavaScript Prototypes & Prototype Pollution Attacks
▶︎

Understanding JavaScript Prototypes & Prototype Pollution Attacks

DEF CON 31 - Prototype Pollution Leads to Remote Code Execution in NodeJS - Shcherbakov, Balliu
▶︎

DEF CON 31 - Prototype Pollution Leads to Remote Code Execution in NodeJS - Shcherbakov, Balliu

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup
▶︎

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup

OAuth: When Things Go Wrong
▶︎

OAuth: When Things Go Wrong

Bug Bounty: Exploiting Prototype Pollution for Easy $$$ (Manual + Automation Guide)
▶︎

Bug Bounty: Exploiting Prototype Pollution for Easy $$$ (Manual + Automation Guide)

Hidden in Plain Site: Disclosing Information via Your APIs - Peter Yaworski, Bugcrowd's LevelUp 2017
▶︎

Hidden in Plain Site: Disclosing Information via Your APIs - Peter Yaworski, Bugcrowd's LevelUp 2017

Attacking AI - Jason Haddix - NDC Security 2026
▶︎

Attacking AI - Jason Haddix - NDC Security 2026

How to Build & Sell AI Agents: Ultimate Beginner’s Guide
▶︎

How to Build & Sell AI Agents: Ultimate Beginner’s Guide

How to Actually Build Mobile Apps with AI in 2026 | A Complete Beginner's Tutorial
▶︎

How to Actually Build Mobile Apps with AI in 2026 | A Complete Beginner's Tutorial

albinowax - HTTP Desync Attacks: Smashing into the Cell Next Door - DEF CON 27 Conference
▶︎

albinowax - HTTP Desync Attacks: Smashing into the Cell Next Door - DEF CON 27 Conference

Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
▶︎

Cracking the Lens: Targeting HTTP's Hidden Attack-Surface

CLAUDE CODE ADVANCED FULL COURSE (3 HOURS)
▶︎

CLAUDE CODE ADVANCED FULL COURSE (3 HOURS)

API Security 101 by Sadako
▶︎

API Security 101 by Sadako