Question: How to bypass axios built in CSRF protection?

Question

How to bypass axios built in CSRF protection?

Answers 1
Added at 2016-12-28 19:12
Tags
Question

I'm making a NodeJS Express app, that in a certain scenario gets a request from a user, then forwards the request to a 3rd party site and once it receives a response from the 3rd party, forwards it back to the user. Nothing too complicated.

I am having a problem with the HTTP module axios. Which as it appears to have some sort of XSRF protection built into it, which causes my app to throw an error even though the request data from the user is being validated before anything else is done with it. Here is a simplified version of my code:

const
  express = require('express'),
  router = express.Router(),
  { join } = require('path'),
  axios = require('axios')

router.get('/:logId', (req, res, next) => {
  const { logId } = req.params

  // validate logId, 1 or more digit number
  const pathRegex = /^\/?\d+$/g
  if (!pathRegex.test(logId)) res.status(400).end()
  else {
    const urlStr1 = join('http://example.com/', logId)

    // another string for comparison
    const urlStr2 = 'http://example.com/123'

    // this successfully logs out the expected result to console
    axios.get(urlStr2)
    .then(console.log)
    .catch(console.warn)

    // this throws an error
    axios.get(urlStr1)
    .then(console.log)
    .catch(console.warn)
  }
})

As mentioned in the code comments, if I send a request with a string that I created on the server, everything works fine, however if I use a string, that is derived from the user's request data (a 1+ digit number), the following error is thrown:

 Error: connect ECONNREFUSED 127.0.0.1:80
    at Object.exports._errnoException (util.js:1012:11)
    at exports._exceptionWithHostPort (util.js:1035:20)
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1080:14)
  code: 'ECONNREFUSED',
  errno: 'ECONNREFUSED',
  syscall: 'connect',
  address: '127.0.0.1',
  port: 80,
  config:
   { adapter: [Function: httpAdapter],
     transformRequest: { '0': [Function: transformRequest] },
     transformResponse: { '0': [Function: transformResponse] },
     timeout: 0,
     xsrfCookieName: 'XSRF-TOKEN',
     xsrfHeaderName: 'X-XSRF-TOKEN',
     maxContentLength: -1,
     validateStatus: [Function: validateStatus],
     headers:
      { Accept: 'application/json, text/plain, */*',
        'User-Agent': 'axios/0.15.3' },
     method: 'get',
     url: 'http:/example.com/44',
     data: undefined },
  response: undefined }

That looks like axios' built in XSRF protection. Any ideas how to bypass it, other than using another HTTP request package?

Answers to

How to bypass axios built in CSRF protection?

nr: #1 dodano: 2016-12-28 19:12

You can use request module which is created for server originally unlike axios which is used for client side at most.

Source Show
◀ Wstecz