close search bar

Sorry, not available in this language yet

close language selection

ExpressJS: Preventing common vulnerabilities in the MEAN stack (Part 1)

Synopsys Editorial Team

Apr 20, 2017 / 2 min read

Table of Contents

Before jumping into the Express framework, get up to speed with Part 1 of this series which explores MongoDB.

Stack precedence (ExpressJS)

The Express framework allows developers to easily add multiple middleware plugins globally to all routes via app.use(). However, middleware order is important because it will only be applied to routes defined further down the stack. Consider the code block below where the isLoggedIn authentication middleware is applied after the /secure/removeInvoice route. The authentication check will be applied to requests for /secure/addInvoice but not /secure/removeInvoice.

expressjs1wp

An unauthenticated attacker can submit requests directly to the /secure/removeInvoice API and delete invoices.

expressjs2wp

Request submitted directly to unauthenticated API

expressjs3wp

Request submitted directly to unauthenticated API

When applying middleware globally (rather than inline, per route) developers should make all app.use calls at the beginning of the file, before defining routes that must be restricted by the applied middleware.

Case-insensitive routing (ExpressJS)

The Express server framework allows developers to easily define routes for serving static pages or RESTful APIs; however, these routes are case-insensitive by default. This becomes problematic when applying middleware security controls to routes based on regular expression matching. For example, our MEAN Bug application uses the isLoggedIn middleware function to verify that a user is authenticated. This middleware is dynamically applied to all routes that begin with the case-sensitive string /secure via the express-unless plugin.

expressjs4wp

Because Express routes are not case-sensitive, a request for /SECURE/manageInvoices will return the same resource as /secure/manageInvoices. However, the authentication-checking middleware will not be applied to /SECURE/manageInvoices, allowing an attacker to access the page without logging in.

expressjs5wp

User redirected to login page if unauthenticated

expressjs6wp

Authentication middleware bypassed with /SECURE/manageInvoices

expressjs7wp

Authentication middleware bypassed

The isLoggedIn authentication middleware should be applied to each /secure route based on a case-insensitive regular expression denoted by the ‘i’ option after the trailing forward slash.

expressjs8wp

Alternatively, the Express application can be configured to use case-sensitive routes by setting the case sensitive routing option to true.

expressjs9wp

The screenshot below demonstrates the second solution where the server is configured to use case-sensitive routing. The request for /SECURE/manageInvoices is no longer valid.

expressjs10wp

Case-sensitive routing enforced

Stay tuned for Part 3 of this series, exploring Express Sessions and CSRF, which will drop on the Software Security blog on May 4th.

Continue Reading

Automate security: DevOps integrations for risk detection and remediation

Automate security: DevOps integrations for risk detection and remediation

Charlotte Freeman
By Charlotte Freeman

Sep 19, 2023 / 4 min read

Tags: Software Integrity, Build Secure Software, DevSecOps
National Coding Week: Closing the skills gap with secure code training

National Coding Week: Closing the skills gap with secure code training

Taylor Armerding
By Taylor Armerding

Sep 18, 2023 / 5 min read

Tags: Software Integrity, Build Secure Software, Training, DevSecOps
How to safeguard your AI ecosystem: The imperative of AI/ML security assessments

How to safeguard your AI ecosystem: The imperative of AI/ML security assessments

John Waller
By John Waller

Sep 07, 2023 / 5 min read

Tags: Software Integrity, Build Secure Software, DevSecOps

Explore Topics

Agile, CI/CD
AppSec Best Practices
Automotive
Build Secure Software
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Software Supply Chain
Security News & Research
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security