express-detect-no-csrf-before-method-override¶
Ensure express detects CSRF before override
The csrf
middleware will only check non-idempotent requests such as POST
, PUT
, DELETE
, etc. It will not check idempotent ones such as GET
, HEAD
and OPTIONS
.
The methodOverride
middleware allows HTTP requests to override the request verb with a _method
post key or a x-http-method-override
header. Therefore, using this middleware, one can send a GET
request to the server with x-http-method-override
header value set to POST
. The server, although receiving a GET
request will treat it as a POST
.
In express apps the declaration order of middlewares defines its execution order. Therefore, if one calls the csrf
middleware before methodOverride
, an attacker can completely by pass CSRF checking by supplying a GET
request with a method override.
Examples¶
Insecure Example
express.csrf();
express.methodOverride();
Secure Example
The fix is quite trivial; just call express.methodOverride()
before run the csrf
setup.
express.methodOverride(); // a GET REQUEST masquerading as a POST, is now a POST after this point
express.csrf();