Usage of session on static asset (CSRF)

• Rule ID: javascript_express_static_asset_with_session
• Languages: javascript
• Source: static_asset_with_session.yml

Description

Static assets are often cached by services in front of the application (eg. CDNs). Serving static assets with sessions enabled may lead to Cross-Site Request Forgery (CSRF) attacks that can hijack a user's session.

Remediations

✅ Ensure static resources are handled prior to session initialization:

  // static middleware should be added before session middleware
  app.use(express.static(__dirname + "/public"))

  app.use(session())

Associated CWE

• CWE-352: Cross-Site Request Forgery (CSRF)

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_static_asset_with_session

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_static_asset_with_session