Top 10 common security mistakes in TypeScript apps and how bug hunters find them

Stop shipping avoidable vulnerabilities: how bug hunters find and exploit mistakes in TypeScript apps (2026 edition)

Hook: If you're maintaining a TypeScript codebase in 2026, you already face faster release cycles, AI-generated code, and more serverless edge functions — plus a rising supply-chain risk. That combo makes simple mistakes become critical vulnerabilities. This guide lists the top 10 security mistakes seen in TypeScript apps, how bug hunters discover them, and exact fixes you can apply today.

Why this matters now (short answer)

In late 2025 and early 2026 the attack surface has shifted: micro-apps, edge functions, and AI-assisted coding create more entry points and more inconsistent patterns across teams. Bug bounty payouts continue to rise for critical findings, and automated scanners are better — but human-led bug hunting still finds logical flaws, unsafe runtime patterns, and misuse of JavaScript/TypeScript primitives.

"TypeScript reduces some classes of bugs but does not eliminate runtime security issues. Types are guidance, not a firewall."

Quick checklist (what you'll get)

• 10 common vulnerabilities TypeScript teams repeatedly introduce
• Minimal reproductions (vulnerable code + safe fixes)
• Bug-hunter detection tips and payloads
• CI / tooling rules to prevent regressions

Top 10 mistakes, with examples, detection tips, and fixes

1. Insecure deserialization (including prototype pollution)

Why it matters: Accepting arbitrary JSON and merging it into application objects can let an attacker change behavior, escalate privileges, or crash services. Prototype pollution remains a high-impact vector in JavaScript/TypeScript runtimes.

// vulnerable.ts
export function applyConfig(userJson: string) {
  const obj = JSON.parse(userJson); // dangerous if merged blindly
  const config = Object.assign({}, defaultConfig, obj);
  return config;
}

Bug hunter detection tips:

• Send payloads containing {"__proto__": {"isAdmin": true}} or nested constructors. Look for changes in global prototype behavior or unexpected privileges.
• Use fuzzing on endpoints that accept JSON and on API parameters consumed by Object.assign, _.merge, or library-provided deep merges.

Fix:

• Use a safe parser and whitelist keys. Do not merge user objects into application prototypes.

// fixed.ts
export function applyConfigSafe(userJson: string) {
  const parsed = JSON.parse(userJson);
  const safe = {
    theme: typeof parsed.theme === 'string' ? parsed.theme : defaultConfig.theme,
    maxItems: Number.isFinite(parsed.maxItems) ? parsed.maxItems : defaultConfig.maxItems,
  };
  return safe;
}

2. Authentication and authorization bypass (trusting client-side checks)

Why it matters: Front-end checks are convenient but never authoritative. Attackers can tamper with request payloads, cookies, or tokens to escalate privileges.

// vulnerable (client-side gate)
if (user.role === 'admin') {
  showAdminUI(); // client assumes server enforcement exists
}

Bug hunter detection tips:

• Intercept and modify requests (Burp, mitmproxy). Try creating/modifying resources while spoofing roles or omitting tokens.
• Test APIs directly without using the UI; look for endpoints that don't validate sessions or token scopes server-side.

Fix:

• Enforce role checks and resource ownership on the server. Use middleware that validates token signatures and claims.

// Express + TypeScript secure middleware example
import { Request, Response, NextFunction } from 'express';
function requireRole(role: string) {
  return (req: Request, res: Response, next: NextFunction) => {
    const user = req.user; // populated by auth middleware
    if (!user || user.role !== role) return res.status(403).send('forbidden');
    next();
  };
}

3. Unsafe eval / new Function / dynamic code execution

Why it matters: Dynamic code execution executes attacker-controlled strings as code. It defeats static typing and can lead to RCE in Node.js or XSS in the browser.

// vulnerable.ts
export function runUserRule(rule: string, ctx: any) {
  // rule comes from user input or untrusted source
  return new Function('ctx', rule)(ctx);
}

Bug hunter detection tips:

• Scan repo for eval, new Function, vm.runInNewContext.
• If found, probe inputs that reach those functions with payloads causing side effects, e.g. file reads or network calls.

Fix:

• Avoid dynamic evaluation. Use a sandboxed, purpose-built parser or implement a domain-specific language that's interpreted, not compiled.

// safer: use a vetted expression library or whitelist allowed operations
import { parseExpression } from 'safe-expression-evaluator'; // illustrative
export function evaluate(rule: string, ctx: any) {
  const ast = parseExpression(rule);
  return ast.evaluate(ctx);
}

4. Overuse of any and unchecked casts

Why it matters: TypeScript's any silences the type system — and silent mismatches often lead to runtime assumptions attackers can leverage.

// vulnerable.ts
function handle(data: any) {
  // assume data.user.id exists
  return `Hello ${data.user.id}`;
}

Bug hunter detection tips:

• Source-code review: find any, casts like as any, and suppressed errors (// @ts-ignore). These are hotspots.
• Send malformed inputs to endpoints consuming these values to cause crashes or bypass checks.

Fix:

• Prefer narrow types, runtime validators (zod, io-ts), and add tests verifying behavior for unexpected shapes.

// fixed.ts using zod
import { z } from 'zod';
const UserSchema = z.object({ id: z.string() });
function handleSafe(raw: unknown) {
  const data = UserSchema.parse(raw);
  return `Hello ${data.id}`;
}

5. Cross-Site Scripting (XSS) via templating and DOM insertion

Why it matters: XSS remains one of the most common issues. In TypeScript React apps, misuse of dangerouslySetInnerHTML or unsanitized templates is the usual culprit.

// vulnerable React example
function Comment({ html }: { html: string }) {
  return 
;
}

Bug hunter detection tips:

• Inject typical XSS payloads (e.g., <script>alert(1)</script>), and look for script execution or DOM changes.
• Check user-generated content endpoints for sanitization; test input that becomes HTML output.

Fix:

• Sanitize on output with a whitelisting sanitizer (DOMPurify), or better: store text and render as text nodes.

// safe rendering
import DOMPurify from 'dompurify';
function CommentSafe({ html }: { html: string }) {
  return 
;
}

6. CSRF due to missing or misconfigured protections

Why it matters: State-changing endpoints without CSRF protection are vulnerable when cookies are used for authentication.

Bug hunter detection tips:

• Try cross-origin POSTs via forms or script tags and see if state changes. Use Burp's CSRF PoC generator.
• Check if sameSite is set on cookies, and whether the app relies on custom headers (which block simple CSRF).

Fix:

• Use anti-CSRF tokens (double-submit cookies or synchronizer tokens), or use SameSite=strict/lax and stateless auth with tokens in Authorization header.

7. Server-side template injection / SSR pitfalls

Why it matters: Modern frameworks (Next.js, Astro, Deno) render on the server. If templates interpolate untrusted data into executable contexts (HTML, SQL, command lines), that's dangerous.

Bug hunter detection tips:

• Look for places where user input reaches template engines or external command calls. Inject payloads that create logical effects (unexpected HTML, DB queries, or file references).

Fix:

• Escape content for the appropriate context and never pass user input into shell commands; use parameterized queries for DBs.

8. Insecure storage of secrets and tokens

Why it matters: Storing tokens in localStorage exposes them to XSS. Committing secrets into repos or bundling them into client bundles leads to serious breaches.

Bug hunter detection tips:

• Search code for strings like process.env.SECRET used in client bundles, or public GitHub history for tokens. Try to access token endpoints directly.

Fix:

• Use httpOnly, secure cookies for auth tokens when possible. Keep secrets out of client code and add pre-commit hooks to detect accidental leakage. Consider secure workflow tooling like TitanVault to manage secrets and team access.

9. Broken access controls / insecure direct object references (IDOR)

Why it matters: Failing to check ownership allows attackers to access or modify other users' resources by changing IDs in requests.

// vulnerable endpoint
app.get('/invoice/:id', async (req, res) => {
  const invoice = await db.findInvoice(req.params.id);
  res.json(invoice);
});

Bug hunter detection tips:

• Sequentially enumerate IDs or tamper with GUIDs. Try to access or modify resources belonging to other users.

Fix:

• Always check that the authenticated user has access to the resource: verify ownership or proper ACLs in business logic.

// fixed
app.get('/invoice/:id', async (req, res) => {
  const invoice = await db.findInvoice(req.params.id);
  if (!invoice || invoice.ownerId !== req.user.id) return res.status(404).send('Not found');
  res.json(invoice);
});

10. Dependency & supply-chain vulnerabilities (including malicious types)

Why it matters: TypeScript projects pull many npm packages and type definitions. Attackers use typosquatting, dependency confusion, or malicious postinstall scripts to compromise builds.

Bug hunter detection tips:

• Inspect package.json, package-lock.json, and node_modules for unexpected packages, scripts, or strange dependencies. Look for packages with few downloads and names close to popular packages.

Fix:

• Pin dependency versions, enable dependency scanning (Snyk, GitHub Dependabot), restrict install scripts in CI, and use reproducible lockfiles. Review new dependencies in PRs. Monitor broader market signals — for example, a major cloud vendor merger can change supply-chain risk profiles and should trigger a review of your dependency footprint.

Detection tips and tooling for both devs and bug hunters

Use a layered approach — static analysis, runtime monitoring, fuzzing, and manual review.

• Static: ESLint plugins (eslint-plugin-security), TypeScript strict mode, semgrep rules, CodeQL queries for JS/TS.
• Dependency checks: npm audit, yarn audit, Snyk, GitHub Dependabot, and artefact signing where possible.
• Dynamic: Burp Suite / OWASP ZAP + automated fuzzing for JSON endpoints, template engines, and auth paths.
• Sandboxing: Use Node.js worker threads or restricted runtimes for untrusted code (avoid eval when possible). For local model sandboxing and secure experimentation, small on-prem or edge labs can help — see projects that show how to run local LLMs safely like the Raspberry Pi lab writeups.
• Runtime protections: CSP headers, SameSite cookies, and secure cookie flags.

Testing to add to your CI (practical rules)

1. Enforce TypeScript noImplicitAny and strict settings.
2. Run semgrep or CodeQL scans on every PR for known patterns like eval, new Function, prototype pollution, and unsanitized DOM insertion.
3. Block PRs that introduce new direct dependencies without a human review step.
4. Run automated fuzz tests on key JSON endpoints in a pre-deploy environment.

Real-world bug-hunting playbook (concise)

1. Map all inputs (HTTP body, headers, cookies, query params) and find sinks (eval, DB queries, template renderers, file ops).
2. Prioritize high-impact sinks: file writes, exec, DB changes, auth flows.
3. Attempt to control types and shapes (prototype pollution, JSON injection).
4. Automate enumerations for IDOR and missing auth checks.
5. Report with clear reproduction steps, PoC payloads, and remediation suggestions — consider bug bounty programs (some payouts reached six figures for critical RCEs in late 2025).

2026 trends and prediction for TypeScript security

Expect these things in 2026:

• More serverless / edge bugs due to short-lived environments and different runtime limits — test edge functions explicitly. (See material on edge testing and analytics.)
• AI-assisted code introduces subtle insecure patterns; augment code review with policy-as-code and specialized linters.
• Supply-chain attacks will continue to be a major vector; dependency governance becomes a first-class security practice.

Actionable takeaways

• Assume runtime is the source of truth: enforce security on the server, not just the client.
• Use runtime validation: zod, io-ts, or similar to validate external inputs.
• Harden CI: semgrep/CodeQL + dependency scanning + PR reviews for new packages.
• Eliminate dangerous primitives: remove eval/new Function, and avoid merging untrusted objects into application state.
• Test proactively: add fuzzing and targeted attack scenarios to your test suite.

Short checklist to run right now

• grep for eval|new Function|vm.runIn in your repo — fix or justify each result.
• Enable TypeScript strict mode and ban any in API boundary files.
• Run dependency scans and lock all dependencies in CI.
• Add runtime validators for every endpoint that accepts JSON.
• Add Content Security Policy (CSP) and secure cookie flags.

Closing: how bug hunters should report, and devs should react

Bug hunters: provide minimal, deterministic PoCs and clearly show impact (RCE, data leak, account takeover). Many programs (including big game/platform bounties in late 2025) rewarded clear end-to-end evidence. Dev teams: prioritize fixes that reduce attack surface and add tests to prevent regressions. For governance around dependency updates and patches, treat patch policy like any other risk domain and consult patch governance playbooks.

Call to action

Start a focused security sprint this week: run the quick checklist above, add semgrep/CodeQL rules to CI, and create a baseline fuzz test for your JSON APIs. If you found a vuln while following this guide, responsibly disclose it via your vendor's security process or a bug bounty program.

Want a checklist you can run in CI and share with your team? Download our TypeScript security checklist and starter semgrep rules from the site or subscribe for monthly hardening patterns tuned for 2026 — stay ahead of attackers and bug hunters alike.

Related Reading

• Security Best Practices with Mongoose.Cloud
• Developer Guide: Offering Your Content as Compliant Training Data
• Architecting a Paid-Data Marketplace: Security, Billing, and Model Audit Trails
• Patch Governance: Policies to Avoid Malicious or Faulty Windows Updates in Enterprise Environments
• Hands‑On Review: TitanVault Pro and SeedVault Workflows for Secure Creative Teams (2026)
• Mini‑Me Winter: How to Style Matching Outfits for You and Your Dog
• Announcement Templates for Product Launches and Maker Collaborations
• How Convenience Store Expansion Changes Where You Buy Garden Essentials
• Secure Password Reset Flows: Preventing the Next Instagram/Facebook Reset Fiasco
• Low-Sugar Pandan Desserts and Cocktails for Health-Conscious Entertaining