Link Search Menu Expand Document

Cross-Site Request Forgery in NodeJS

Prevention

Node.js does not provide a built-in protection against CSRF attacks; the developer must manually implement it by checking the anti-CSRF tokens or using one of the many, well-tested libraries and frameworks.

Socket.IO

By default, a Socket.IO server accepts connections from any HTTP origin, thus rendering the web application vulnerable to Cross-Site WebSocket Hijacking (CSWSH). In fact, unlike regular HTTP requests, WebSockets are not subject to the same-origin policy. In this scenario, a victim follows a malicious link while being authenticated on the target application. The malicious web page then establishes a WebSocket connection to the target endpoint (this is possible because the request carries authentication cookies) and finally the malicious web page is able to read and write messages on the WebSocket.

To limit the allowed origins to a predefined subset, it is possible to use the provided io.origins method, for example:

var io = require('socket.io')(server);

// ...

io.origins('https://trusted.example.com:443');

Of course, this should be coupled with usual authentication since nothing prevents a non-browser application placing arbitrary content in the Origin HTTP header.

See Cross-Site WebSocket Hijacking (CSWSH) for more information.

References

OWASP - Cross-Site Request Forgery Cheat Sheet MITRE - CWE 352