doc: annotate server.js with extra info regarding session and static …#286
Merged
lirantal merged 1 commit intoOWASP:masterfrom Mar 18, 2023
Merged
doc: annotate server.js with extra info regarding session and static …#286lirantal merged 1 commit intoOWASP:masterfrom
lirantal merged 1 commit intoOWASP:masterfrom
Conversation
…assets Express uses a middleware system to execute code, modify requests and responses, and perform other tasks whenever a network action takes place. The order you define these middleware matters. From the [express documentation](https://expressjs.com/en/guide/writing-middleware.html): > The order of middleware loading is important: middleware functions that are loaded first are also executed first. > *This* is the problem we can look for. Here's an example of what not to do: ```javascript app.use(session()); app.use(express.static(__dirname + '/public')); ``` In this case, the session handler is initialized before returning a static asset. Instead, we want to confirm that the static asset middleware, `express.static` is set prior to the `session` middleware. ```javascript app.use(express.static(__dirname + '/public')); // any other middelware app.use(session()); ``` This will serve static assets as expected, but not apply the session middleware to them since it is defined later.
Collaborator
|
@cfabianski thanks for adding and noting the context with the links. Would there be an actual viable exploit we can demonstrate based on the vulnerable code here? |
Contributor
Author
That's a very good point. I'll think about it 🤔 |
Collaborator
|
If there are any updates, I'm happy to pick this up with you, potentially to also write a short demo with this? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Express uses a middleware system to execute code, modify requests and responses, and perform other tasks whenever a network action takes place. The order you define these middleware matters. From the express documentation:
This is the problem we can look for. Here's an example of what not to do:
In this case, the session handler is initialized before returning a static asset.
Instead, we want to confirm that the static asset middleware,
express.staticis set prior to thesessionmiddleware.This will serve static assets as expected, but not apply the session middleware to them since it is defined later.
Links