CSRF tokens in ExpressJS — Node.js web framework
Cross-site request forgery attacks (CSRF or XSRF for short) works by an attacker gaining access to a victim’s browser — typically through a malicious link. An attack targets Web applications failing to differentiate between valid requests and forged(maliciously crafted, unauthorised) requests controlled by the attacker. Successful CSRF attacks can have serious consequences. Such as initiating bank transactions, purchasing an online good, Reset a password etc,.
How does a CSRF attack work?
On their own (phishing site), an attacker could create an button or form that creates a request against your bank site:
In the forged requests silently can change the password for your bank account.
There are ways to mitigate CSRF attacks
Using the CSRF tokens in simple 3 steps CSRF attack can be prevented. Process includes
- Server sends the client a token.
- Client submits a form with the token.
The server rejects the request if the token is invalid.
Using the CSRF tokens, a good number of solutions are designed such as Synchronizer Token Pattern(STP), Double submit cookies. One of the more popular and widely accepted anti-CSRF attack solutions is CSRF Tokens. All modern web application programming languages support CSRF token.
To implement this we can use ExpressJS. This is one of the popular nodejs web frameworks — light, fast and easy to learn. In simple 4 steps you can write the server side application
CSURF is the official nodejs CSRF protection middleware.
1. We need to create middleware for CSRF token creation and validation.
2. And we shall use cookie-parser npm module to store the csrf token during the request — response with the web server.
3. We need to pass the token in hidden value using the middleware
4. This token is validated against the visitor’s session or csrf cookie.
Demo code shared here :
https://github.com/Sikandarkhan/csrf-token-expressjs
Demo video :
An attacker would have to somehow get the CSRF token from your site, and they would have to use JavaScript to do so. Thus, if your site does not support CORS, then there’s no way for the attacker to get the CSRF token, eliminating the threat.
Make sure CSRF tokens can not be accessed with AJAX! Don’t create a /csrf route just to grab a token, and especially don’t support CORS on that route!
The token just needs to be “unguessable”, making it difficult for an attacker to successfully guess within a couple of tries. It does not have to be cryptographically secure. An attack is one or two clicks by an unbeknownst user, not a brute force attack by a server.
1) Use only JSON APIs — by accepting only JSON, you eliminate the possibility of the above form.
2) Disable CORS — only allow it on OPTIONS, HEAD, GET as they are not supposed to have side-effects.
3) Check the referrer header
4) GET should not have side effects — make sure that none of your GET requests change any relevant data in your database.
5) Don’t support old browsers — Old browsers do not support CORS or security policies.
Conclusion
As the web moves towards JSON APIs and browsers become more secure with more security policies, CSRF is becoming less of a concern. Block older browsers from accessing your site and change as many of your APIs to be JSON APIs, and you basically no longer need CSRF tokens. But to be safe, you should still enable them whenever possible and especially when it’s non-trivial to implement.
Happy reading.
Sikandar Khan
