Missing CSRF protection
Cross-Site Request Forgery (CSRF) — state-changing routes that don't verify the request came from your own frontend.
What this rule detects
VC005 flags POST/PUT/DELETE/PATCH routes that mutate user state without a CSRF token check or `SameSite=Strict` cookie configuration. The rule excludes routes that are explicitly cross-origin by design (public webhooks, API endpoints with API-key auth).
Vulnerable vs. safe code
// User visits attacker.com — attacker page submits a form to /api/delete-account.
app.post("/api/delete-account", async (req, res) => {
await db.user.delete({ where: { id: req.session.userId } });
res.json({ ok: true });
});// Option 1: SameSite=Strict cookies (modern browsers, easiest).
app.use(session({
cookie: { sameSite: "strict", secure: true, httpOnly: true },
}));
// Option 2: explicit CSRF token (defense in depth).
import csrf from "csurf";
app.use(csrf({ cookie: true }));
app.post("/api/delete-account", async (req, res) => {
// csurf validates the token automatically; req.csrfToken() generates one
// for the form/fetch call.
await db.user.delete({ where: { id: req.session.userId } });
res.json({ ok: true });
});About A01:2021 — Broken Access Control
Access-control bugs let users do things they shouldn't — view another user's data, modify records they don't own, or hit admin-only endpoints without admin rights. This class moved to #1 in the 2021 OWASP Top 10 because 94% of audited apps had at least one access-control flaw.
Impact: An attacker who finds an access-control bug typically gets a much bigger blast radius than other vulnerability classes. Examples we've seen in AI-generated code: a /api/user/[id] route that returns any user's profile, a delete endpoint that doesn't check ownership, an admin dashboard with no role check.
How to fix it: Check authentication AND authorization on every server-side route. Never rely on the client to enforce permissions. Default to deny. For per-resource checks, fetch the resource and verify the requesting user owns it before returning or modifying it.
Common patterns in this category:
- Missing auth check on API routes (the resource is returned to anyone with the URL)
- Authorization based on a parameter the client controls (e.g. trusting `?userId=` in the URL)
- Direct object references where the resource ID isn't validated against the requesting user
- Public access to administrative or internal endpoints
- Privilege escalation via mass assignment (user POSTs `{role: 'admin'}` and the ORM accepts it)
Compliance coverage
Findings from this rule map to the following framework controls:
See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.
Scan your code for VC005 and 157 other rules
Free, no signup. Drag and drop a zip or run npx xploitscan scan .