Are CSRF attacks impossible if there is no express.urlencoded()?

  csrf, express, javascript, node.js, security

In Express, submitted html form data doesn’t populate req.body. Unless you use express.urlencoded() middleware.

Does this mean that CSRF attacks are only possible in express if you use express.urlencoded()? If we only use express.json() (and no other parser that reads form data like multer) are CSRF attacks impossible?

Sample server to be attacked:

const express = require('express');

const app = express();

app.use(express.urlencoded()); // remove or replace with express.json() to see req.body empty on html form submissions

app.post('/item', (req, res, next) => {
    console.log('posting item');
    res.send(`posted item body: ${Object.keys(req.body)[0]}: ${Object.values(req.body)[0]}`);
});

app.listen(4000)
      .on('listening', console.log("HTTP server listening on port 4000"));

Sample CSRF attack:

<!-- To test this CSRF attack, this page should be launched on a different local server (not localhost:4000) than the backend -->

<!DOCTYPE html>
<html lang="en">
  <body>
    <form action=http://localhost:4000/item method=post >  
        <input name ="itemName" value="Shirt" type="text">
     <input type=submit>  
       </form>  
 
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Source: Ask Javascript Questions

LEAVE A COMMENT