Cross Site Request Forgery, Race Condition, Outdated Library
Cross-Site Request Forgery (CSRF) is the opposite of an XSS exploit. Where XSS takes advantage of the user by means of a trusted web site, CSRF takes advantage of the web site by means of a trusted user.
We already know solution of Cross Site Scripting right ? really ?
Ya, We Know remember escaping, encoding like html escaping, javascript escaping and sanitization. Cross Site Scripting means inject javascript code in website. know more about XSS.
Suppose an attacker who sends out fake emails with a link to delete a blog post or email. The target user clicks the link and arrives at a delete page. Because the user is an administrator with a valid session, your application goes ahead and deletes the record as requested. The link is a mystery to the user but now their account has been deleted without their consent. Not cool.
Think what is the solution for this. Solution is like we know Requested user is right or not like if administrator want to delete record then all process should done by administrator only not should done any small things by other right.
For this we can use one token and check that if it is right then we can say this record deletion is Administration want otherwise give error. okay then let see how to do with code.
Step 1 — Client accesses the application server using the HTTP GET method.
Step 2 — Generates a CSRF token and stores it in HTTP session. The generated CSRF token links with the client using the hidden tag of HTML form.
Step 3 — The client sends a request to the application server by clicking a button on the HTML form. Since the CSRF token is embedded in a hidden field in the HTML form, CSRF token value is sent as a request parameter.
Step 4 — Checks if the CSRF token value specified in the request parameter and the CSRF token value retained in the HTTP session are same when it is accessed using HTTP POST method. If the token value does not match, an error is thrown as an invalid request (request from the attacker).
Step 5 — Client accesses the application server using the HTTP GET method.
Step 6 — Does not check the CSRF token value when it is accessed using GET method.
First, ensure GET requests do not perform data-altering actions. Anything that performs an action on data should require a POST, PUT, or DELETE request. If the user clicks a delete button, take them to a form used to confirm the action. If data-altering actions need to be performed over GET (maybe for a RESTful API), require a unique token in the query string. In the following examples, we use POST data, but the same concepts apply when dealing with GET requests. Set the token in the query string instead of the POST parameters.
First, create a function to generate the token. Node.js has a built-in crypto module that generates a random string that we can use as our CSRF token. Let’s use the randomBytes method and see how it works.
Next, we’ll call this within our route closure and pass the token to the view that is generating the form:
For our view, signup/form
When this form is POSTed, we can now validate the token via middleware as well:
Now that this token checking is in place, if an attacker tricks a user into submitting a fake form, the request will fail. The user will not have a matching CSRF token in their session data for your website.
Race Condition
Race conditions are uncommon in JavaScript due to its asynchronous nature. But they can be very hard to debug. It is best to handle them before they happen. A race condition is when multiple things happen at once, causing unexpected logic flow. The issue is when Block B executes before Block A, because Block A takes longer to perform.
The main method to prevent race conditions: make logic transactional in the right place. This is why it is important to both understand and utilize callbacks and promises in JavaScript.
You can see code Number 1 is Vulnerable to race condition because code is asynchronous so csrf tocken is not generated then also javascript call to next that means token is undefined then it give error. In Number 2 it calling next after the generation of token.
Another example is with database writes. To prevent race conditions in the database, use transactions to apply certain database changes only if all statements are successful.
Outdated Library
Ya very easy point Update your Application.
You can check for outdated dependencies using the npm outdated command. This returns a list of all outdated dependencies along with the current, wanted, and available versions.
The wanted version of a package is the most up-to-date package that the current application supports, based on the semantic versioning defined in the package.json file. The available version is the most recent version. We can update all the dependencies to the wanted version by running the npm update command.
