Typescript Csrf Middleware Order Incorrect
Description
Detects incorrect ordering of CSRF middleware in web application configurations, which can lead to CSRF protection bypass. When CSRF middleware is placed in the wrong order relative to other middleware components, it may not properly protect all routes or endpoints, leaving the application vulnerable to Cross-Site Request Forgery attacks.
Detection Strategy
• Examine middleware configuration files and framework setup code
• Check the declaration order of middleware components in the application
• Flag instances where CSRF middleware is not placed in the correct sequence relative to other critical middleware (like authentication or session middleware)
• Report a vulnerability if CSRF middleware is found after dependent middleware or in a position where it cannot effectively protect all routes
Vulnerable code example
const express = require('express');
const methodOverride = require('method-override');
const csrf = require('csurf');
const app = express();
// Vulnerable: Using csurf with method-override allows CSRF bypass
app.use(csrf());
app.use(methodOverride()); // Can override POST methods, potentially bypassing CSRF protection...✅ Secure code example
const express = require('express');
const methodOverride = require('method-override');
const csrf = require('csurf');
const app = express();
// Secure: Apply method-override before CSRF protection
app.use(methodOverride()); // Handle HTTP method overrides first
app.use(csrf()); // Then apply CSRF protection to catch all methods including overridden ones...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.