The NPM ecosystem is one of the largest ecosystems, if not the largest, in the industry. Over the years, the NodeJS community and the NPM ecosystem have become more mature and secure, but various security exploits continue to occur repeatedly. Two of these are inherent in the JavaScript language—RegEx DoS and Prototype Pollution.

While languages like C/C++ have many vulnerabilities inherent to their design (such as overflows and unauthorized memory access), exploiting these vulnerabilities requires much deeper technical knowledge compared to exploiting the inherent vulnerabilities in JavaScript. Or, as I like to say, "Binary exploitations are easy to find and hard to exploit, while web exploitations are hard to find and easy to exploit."

In this lecture, I would like to show how frequent these exploits are, how to mitigate them, their origins, and provide general insight into web vulnerabilities in general.