Broken Authorization in NodeJS
Play NodeJS Labs on this vulnerability with SecureFlag!
Prevention
Node.js does not provide any native authentication and authorization mechanism that can be implemented using sessions. This task is often delegated to third-party frameworks and libraries.
Express.js
Being a fairly low-level framework, Express.js does not provide ready-made authentication and access control mechanisms, but its middleware-based architecture can be easily leveraged to implement simple custom solutions.
As an example, consider the following administrative endpoint:
app.use('/admin', function (req, res) {
res.end('some administrative functionality here...');
});
This endpoint can be accessed by anyone; Express.js allows a pipeline of stages that are processed in order to serve the actual content of the endpoint logic to be specified. For example, the following middleware checks that a session is established and that the current user is an administrator:
function check_admin(req, res, next) {
const username = req.session.user_id;
if (!username) {
res.redirect('/login.html?message=Please+log+in');
} else {
const user = db.fetchUser(username);
if (user.is_admin) {
next(); // next middleware stage or handler
} else {
res.redirect('/login.html?message=Administrators+only');
}
}
}
Finally, the above logic can be plugged into every endpoint or router in order to enforce the access control mechanism:
app.use('/admin', check_admin, function (req, res) {
res.end('some administrative functionality here...');
});
References
MITRE - CWE 285 - Improper Authorization
OWASP Top 10 2021 - Broken Access Control