Cross-Site Request Forgery (CSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The CSRF protection middleware is applied before the method-override middleware in your Express app. This order can let attackers use GET requests to bypass CSRF checks and then change them into POST or other unsafe methods.
Impact#
Attackers could exploit this to perform unauthorized actions on behalf of users by turning safe GET requests into unsafe POST or DELETE operations, potentially leading to data modification or deletion without the user’s consent. This compromises user data and application integrity.