Link Search Menu Expand Document
×
Topics

Broken Authentication in NodeJS

Play SecureFlag Play NodeJS Labs on this vulnerability with SecureFlag!

Vulnerable example

Node.js does not provide a native way to implement a robust web application authentication system.

The following Express.js route is an example of an endpoint that is available to anyone; it does not enforce any authentication:

app.post('/admin', function (req, res) {
    // perform some sensitive action
});

The /admin endpoint is available to everyone and should be protected by an authentication mechanism so as not to be abused by malicious actors.

Prevention

Apply the recommended authentication and authorization mechanisms depending on the web framework of choice.

Express.js

Express.js allows for the implemention of authentication as a middleware. In this case, one could implement an authentication middleware and (re)use it for one or more routes. For example, the following middleware checks the value of a session variable:

function authenticate(req, res, next) {
    if (!req.session.isLoggedIn) {
        res.redirect('/index.html');
    } else {
        next();
    }
}

It is possible to plug the authentication check in a route as shown below:

app.post('/admin', authenticate, function (req, res) { /*...*/ });

References

CWE - CWE-287: Improper Authentication

OWASP - A07:2021 - Identification and Authentication Failures

OWASP - Authentication Cheat Sheet