If requests are not verified for access rights on server, attackers can forge requests in order to access functionality without proper authorization.
In the insecure demo application, this vulnerability exists in benefits module, which allows changing benefit start date for employees. The link to the benefits module is visible only to the admin user (user: admin, password: Admin_123). However, an attacker can access this module simply by logging in as any non-admin user and accessing benefits url directly.
routes/index.js
// Benefits Page
app.get("/benefits", isLoggedIn, benefitsHandler.displayBenefits);
app.post("/benefits", isLoggedIn, benefitsHandler.updateBenefits);
This can be fixed by adding a middleware to verify user's role:
// Benefits Page
app.get("/benefits", isLoggedIn, isAdmin, benefitsHandler.displayBenefits);
app.post("/benefits", isLoggedIn, isAdmin, benefitsHandler.updateBenefits);
To implement
isAdminmiddleware, check if isAdmin flag is set for the logged in user in database.
For example, here is middleware function that can be added to
routes\session.js:
this.isAdminUserMiddleware = function(req, res, next) {
if (req.session.userId) {
userDAO.getUserById(req.session.userId, function(err, user) {
if(user && user.isAdmin) {
next();
} else {
return res.redirect("/login");
}
});
} else {
console.log("redirecting to login");
return res.redirect("/login");
}
};
It can be then made available in
routes/index.jsrouter as:
var SessionHandler = require("./session");
//Middleware to check if user has admin rights
var isAdmin = sessionHandler.isAdminUserMiddleware;