Security risk in an Expressjs app with Passportjs authentication

I was recently reading this blog post about the dangers of using the bodyParser middleware in the Express server. This warning is actually echoed in the Express guide. The problem basically boils down to the fact that bodyParser creates a temp file on your server for every request leaving you wide open to a DDOS attack. Get the details from the article though.

I was interested to see that the getting started guide for Passportjs actually uses suggests the use of the bodyParser middleware. This is quite possibly the de-facto authentication solution for Node.js app which means there might be a lot of vulnerable apps out there.

Luckily for me the solution was easy. I’m using the local authentication strategy and was able to replace my call to app.use(express.bodyParser()); with app.use(express.urlencoded());

 

 

 

 

 

Advertisements
This entry was posted in Uncategorized and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s