OWASP 2025 Global AppSec EU

So TypeScript has become the de facto industry standard for developing web applications these days and promising type security, but do developers properly understand the role it plays in securing applications and does the type safety promise hold true in face of real-world security threats?

Developers often mistake dev-time vs runtime security as well as confuse test cases for security guard rails. Can TypeScript actually provide you with code security benefits? In this session we will explore insecure TypeScript patterns, learn how HTTP parameter pollution vulnerabilities impact TypeScript code bases and witness first-hand how attackers employ prototype pollution attacks that cripple codebases even when developers use schema validation libraries like Zod. Through hands-on coding we’ll hack a TypeScript application and learn security best practices.