Usage of session on static asset (CSRF)

• Rule ID: javascript_express_static_asset_with_session
• Languages: javascript
• Source: static_asset_with_session.yml

Description

Enabling sessions for static assets can inadvertently expose your application to Cross-Site Request Forgery (CSRF) attacks. This vulnerability arises because static assets, like images and stylesheets, are often cached by intermediary services such as Content Delivery Networks (CDNs). If these assets are served with session information, attackers can exploit this to hijack a user's session.

Remediations

• Do ensure that static resources are served prior to session initialization in your application's middleware order. This practice prevents session cookies from being unnecessarily attached to static assets, reducing the risk of CSRF attacks.

  app.use(express.static(__dirname + "/public"));
  app.use(session());

Associated CWE

• CWE-352: Cross-Site Request Forgery (CSRF)

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_static_asset_with_session

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_static_asset_with_session