express-detect-no-csrf-before-method-override

Ensure express detects CSRF before override

The csrf middleware will only check non-idempotent requests such as POST, PUT, DELETE, etc. It will not check idempotent ones such as GET, HEAD and OPTIONS.

The methodOverride middleware allows HTTP requests to override the request verb with a _method post key or a x-http-method-override header. Therefore, using this middleware, one can send a GET request to the server with x-http-method-override header value set to POST. The server, although receiving a GET request will treat it as a POST.

In express apps the declaration order of middlewares defines its execution order. Therefore, if one calls the csrf middleware before methodOverride, an attacker can completely by pass CSRF checking by supplying a GET request with a method override.

Examples

Insecure Example

Node.js / Express

express.csrf();
express.methodOverride();

Secure Example

The fix is quite trivial; just call express.methodOverride() before run the csrf setup.

Node.js / Express

express.methodOverride(); // a GET REQUEST masquerading as a POST, is now a POST after this point
express.csrf();