Advisories for Npm/Csrf-Lite package

2019

Cross-Site Request Forgery (CSRF)

csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses ===, a fail first string comparison, instead of a time constant string comparison This enables an attacker to guess the secret in no more than (16*18)288 guesses, instead of the 16^18 guesses required were the timing attack not present.

2016

Non-Constant Time String Comparison

csrf-lite uses ===, a fail first string comparison, instead of a time constant string comparison. This enables an attacker being able to calculate minuscule differences in CSRF tokens, essentially enabling them to guess the token one character at a time Each check increases the variable tempCheck by one. If a malicious user is able to see what tempCheck is at each run (how long it takes to do a check), …