all InfoSec news logo
all InfoSec news - Your InfoSec news aggregator
Log in Sign up
all InfoSec news

Analysis and Remediation Guidance of CSRF Vulnerability in Csurf Express.js Middleware

Add to bookmarks
Sept. 19, 2022, 6:51 a.m. | mkrzeszowiec@veracode.com (mkrzeszowiec)

Application Security Research, News, and Education Blog www.veracode.com

Technical Summary
On 28th of August fortbridge.co.uk reported a vulnerability in csurf middleware – expressjs supporting library that enables CSRF protection in expressjs.
As of 13th of September csurf library has been deprecated with no plans to fix the vulnerabilities.
There is no viable alternative for csurf middleware now.
Am I Affected?
All versions of csurf library are vulnerable if:
csurf is setup to use double-submit cookies – csurf({cookie: true})
and default value function is in use
 
Setting up cookie …

analysis csrf express guidance middleware remediation vulnerability

Visit resource

More from www.veracode.com / Application Security Research, News, and Education Blog

Veracode Advances Cloud-Native Application Security with Longbow Acquisition 2 weeks, 1 day ago | www.veracode.com
acquisition application application security cloud +22
Veracode Customers Shielded from NVD Disruptions 2 weeks, 5 days ago | www.veracode.com
analysis customers cves database +13
Resolving Simple Cross-Site Scripting Flaws with Veracode Fix 3 weeks ago | www.veracode.com
application blog code cross-site +16
Security Debt: A Growing Threat to Application Security 4 weeks, 1 day ago | www.veracode.com
application application security debt development +17
A Timely Shift: Prioritizing Software Security in the 2024 Digital Landscape 1 month ago | www.veracode.com
address attack attack surface back +16
Integrating Veracode DAST Essentials into Your Development Toolchain 1 month, 1 week ago | www.veracode.com
application applications application security application security testing +21
The Risks of Automated Code Generation and the Necessity of AI-Powered Remediation 1 month, 1 week ago | www.veracode.com
ai-powered automated can code +22
Data-driven Strategies for Effective Application Risk Management in 2024 1 month, 2 weeks ago | www.veracode.com
application cisa critical cyber +23
Veracode Scan for VS Code: Now with Veracode Fix 1 month, 2 weeks ago | www.veracode.com
ai-powered availability can code +21

Jobs in InfoSec / Cybersecurity

Post a job on infosec-jobs.com Find talent on infosec-jobs.com

Information Security Engineers

@ D. E. Shaw Research | New York City
View on infosec-jobs.com

Senior Cybersecurity Technical Delivery Manager

@ MUFG | London Ropemaker place
View on infosec-jobs.com

Junior consultant-Technology Risk

@ EY | Bratislava, SK, 811 02
View on infosec-jobs.com

Director of Security Engineering, Information Security

@ Illumio | Sunnyvale, California
View on infosec-jobs.com

Cyber Analyst II 03396 NWG

@ North Wind Group | KNOXVILLE, TN
View on infosec-jobs.com

CRIT Information Security Officer (f/m/d)

@ Deutsche Börse | Frankfurt am Main, DE
View on infosec-jobs.com
View more jobs