Forum Discussion

rfrymire's avatar
rfrymire
Icon for Bronze I rankBronze I
10 days ago

Node.js - Beginner -- What am I missing?

In the Node.js - Beginner collection there is a practical lab on Forced Browsing. I have completed what is setup as the criteria for the lab but it keeps telling me that the code isn't secure.

I have tested with two different users and the solution works to prevent forced browsing.

Is there some other criteria that needs to be met that I'm missing.

Remediation:

Authorization check: returns a 401 if the user isn't logged in

I have also added the author check to verify that only the logged in user retrieves their own drafts.

 

feedback
help & support
  • rfrymire's avatar
    rfrymire
    Icon for Bronze I rankBronze I
    10 days ago

    This is the updated function:

    exports.getDraft = async (req, res) => {
    const loggedIn = await util.isLoggedIn(req);
    if(loggedIn !== true){
        return res.status(401).send("Unauthorized");
    }
    
    try {
        const { id } = req.params;
        if (!id) {
            return res.status(500).send({ success: false });
        }
        const author = await util.getIdByCookie(req.cookies.auth);
        const draft = await Question.findOne({ where: { id, author, draft: true } });
        return res.send({ success: true, data: draft });
    } catch (err) {
        console.log(err);
    }
    return res.status(500).send({ success: false });
}

     

    • netcat's avatar
      netcat
      Icon for Bronze II rankBronze II
      9 days ago

      You could add a check if the id actually exists to your code, but that will not help to make your code pass.
      All in all, for 100 points that's too much code. Try this:

      exports.getDraft = async (req, res) => {
    return res.status(401).send("Unauthorized");
}

      -> When testers fail to implement proper tests, the customer get's partially functional software. At least the tests are passed and the code can be shipped to production immediately.

      • rfrymire69's avatar
        rfrymire69
        Icon for Bronze I rankBronze I
        9 days ago

        That didn't seem to help either. In the post above all the code existed except lines 2-5 and line 12 was moved from basically line 2 without my additions. The addition of author to line 13 should only pull back the drafts associated to the author. This seems to be the correct implementation based upon the requirements. Every test of the code returns insecure though.

        Am I still reading too much into it?

        1.) Identify the forced browsing vulnerability.
        2.) Add an appropriate authorization check and send a 401 for unauthorized users in the getDraft function.

  • rfrymire69's avatar
    rfrymire69
    Icon for Bronze I rankBronze I
    8 days ago

    I tried that the first time but I believe I was getting timeouts during the VSCode tests. It does work as expected to pass the test. It just didn't seem right to remove more than expected with existing code base and none of the previous labs had implemented that same strategy. Thanks!