Challenge - 5 Problems

🎖️

CSRF Protection Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ component_behavior

intermediate

2:00remaining

How does CSRF token validation work in Express?

Consider an Express app using the csurf middleware. What happens when a POST request is sent without the CSRF token?

Express

const express = require('express');
const csurf = require('csurf');
const cookieParser = require('cookie-parser');

const app = express();
app.use(cookieParser());
app.use(csurf({ cookie: true }));

app.post('/submit', (req, res) => {
  res.send('Form submitted');
});

AThe server responds with a 403 Forbidden error because the CSRF token is missing or invalid.

BThe server logs the request but still processes it without blocking.

CThe server redirects the user to the login page automatically.

DThe server accepts the request and processes it normally without any error.

Attempts:

2 left

📝 Syntax

intermediate

1:30remaining

Which code snippet correctly sets up CSRF protection with cookies in Express?

Choose the correct code to enable CSRF protection using the csurf middleware with cookie support.

Aapp.use(csurf({ cookie: false }));

Bapp.use(csurf({ session: true }));

Capp.use(csurf({ cookie: true }));

Dapp.use(csurf());

Attempts:

2 left

🔧 Debug

advanced

2:30remaining

Why does the CSRF token validation fail in this Express app?

Given the code below, why does the server always respond with a 403 error on POST requests?

Express

const express = require('express');
const csurf = require('csurf');
const cookieParser = require('cookie-parser');

const app = express();
app.use(cookieParser());
app.use(csurf({ cookie: true }));

app.get('/form', (req, res) => {
  res.send(`<form method='POST' action='/submit'>
    <input type='hidden' name='_csrf' value='${req.csrfToken()}' />
    <button type='submit'>Submit</button>
  </form>`);
});

app.post('/submit', (req, res) => {
  res.send('Success');
});

AThe app is missing express.urlencoded middleware before csurf, so the body is not parsed and token is not found.

BThe cookieParser middleware is used after csurf, so cookies are not read correctly.

CThe CSRF token is not included in the form, so validation fails.

DThe csurf middleware is configured incorrectly; it should not use cookies.

Attempts:

2 left

🧠 Conceptual

advanced

1:30remaining

What is the main purpose of CSRF protection in web frameworks like Express?

Why do we add CSRF protection middleware in web applications?

ATo authenticate users by verifying their passwords.

BTo encrypt user data sent between client and server.

CTo speed up server response times by caching requests.

DTo prevent attackers from tricking users into submitting unwanted requests on their behalf.

Attempts:

2 left

❓ state_output

expert

2:00remaining

What is the value of the CSRF token after this Express route runs?

Given the code below, what will be the output of the console.log statement?

Express

const express = require('express');
const csurf = require('csurf');
const cookieParser = require('cookie-parser');

const app = express();
app.use(cookieParser());
app.use(csurf({ cookie: true }));

app.get('/token', (req, res) => {
  const token = req.csrfToken();
  console.log(token);
  res.send('Token sent');
});

AAn empty string because no token is generated.

BA unique string token generated for the user session, e.g., 'XyZ123AbC'.

CAn error is thrown because cookieParser is missing.

DUndefined, because req.csrfToken() is not a function.

Attempts:

2 left