Case-Insensitive Routing Bypass in Express.js Application
Description
This vulnerability occurs when an Express.js application uses case-insensitive routing (the default behavior) while implementing security controls that rely on exact string matching of URL paths. Attackers can bypass authentication or authorization middleware by changing the case of characters in the URL (e.g., accessing '/Admin' instead of '/admin'), causing the security checks to fail while the route still matches and executes.
Remediation
Enable case-sensitive routing in your Express.js application by setting the 'case sensitive routing' option to true during initialization:
const express = require('express');
const app = express();
// Enable case-sensitive routing
app.set('case sensitive routing', true);Additionally, implement security middleware using path normalization or regular expressions that account for case variations. Review all authentication and authorization middleware to ensure they properly validate routes regardless of case. For existing applications where enabling case-sensitive routing might break functionality, normalize the request path before applying security checks:
// Middleware to normalize paths for security checks
app.use((req, res, next) => {
// Store normalized path for security middleware
req.normalizedPath = req.path.toLowerCase();
next();
});
// Use normalized path in security checks
app.use((req, res, next) => {
if (req.normalizedPath.startsWith('/admin')) {
// Apply authentication check
}
next();
});Note: Do not lowercase the entire req.url as it contains query parameters that may be case-sensitive. Conduct thorough testing after implementing these changes to ensure all routes and security controls function correctly.