Skip to content

Commit

Permalink
Typo fix in bypass-connect-csrf-protection-by-abusing.md (#141)
Browse files Browse the repository at this point in the history
  • Loading branch information
nikelborm authored Mar 4, 2024
1 parent 779da2b commit e63aabe
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions docs/bypass-connect-csrf-protection-by-abusing.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ Considering the following code:

```js
...
app.use express.csrf()
app.use(express.csrf())
...
app.use express.methodOverride()
app.use(express.methodOverride())
```

Connect's CSRF middleware does not check csrf tokens in case of idempotent verbs (GET/HEAD/OPTIONS, see lib/middleware/csrf.js). As a result, it is possible to bypass this security control by sending a GET request with a POST MethodOverride header or key.
Expand Down

0 comments on commit e63aabe

Please sign in to comment.