Auth Bypass in Express with Cockroachdb

An Auth Bypass in an Express service that uses CockroachDB typically occurs when session or token validation is performed in application code rather than being enforced by a dedicated authorization layer. Because CockroachDB is compatible with PostgreSQL wire protocol, many Express apps interact with it using PostgreSQL clients, and this introduces specific patterns that can lead to bypasses if security controls are not consistently applied.

Consider an Express route that constructs SQL dynamically using string concatenation or poorly parameterized queries. An attacker may supply a crafted user identifier or object ID that causes the query to return a record the attacker should not access. Because CockroachDB implements SERIALIZABLE isolation by default, it prevents certain classes of concurrency anomalies, but it does not prevent logical flaws in how queries are built or how results are interpreted. If the application uses the raw returned row to infer authorization (for example, checking if a row count is greater than zero to decide access), an attacker can exploit union-based techniques or conditional logic to exfiltrate or modify data across tenant boundaries.

Another common pattern involves IDOR when object references are exposed in URLs or API parameters. If Express endpoints use numeric or UUID identifiers directly from user input without verifying that the authenticated subject has permission to access the referenced resource, the combination of CockroachDB’s global, consistent reads and Express’s middleware ordering can allow one user’s queries to inadvertently return another user’s data. MiddleBrick scans detect this as a BOLA/IDOR finding, highlighting cases where an unauthenticated or low-privilege context can retrieve sensitive records by manipulating identifiers.

Insecure default configurations in CockroachDB clusters can also contribute to risk. For example, if the database exposes a root or privileged account over the network without TLS, an attacker who reaches the network layer might attempt to escalate privileges or read data directly. Even when TLS is enforced, if the Express application does not validate server certificates or uses a shared certificate across services, the risk of interception remains. MiddleBrick’s Encryption and Data Exposure checks surface these issues by analyzing how endpoints handle credentials and whether sensitive data is transmitted without adequate protection.

LLM-specific concerns arise when an Express service exposes endpoints that return system prompts or error messages containing implementation details. An attacker could use prompt injection techniques to coax the application into revealing database connection strings, schema names, or query patterns through crafted inputs. MiddleBrick’s LLM/AI Security module includes system prompt leakage detection and active prompt injection testing to identify these vectors before they can be exploited in production.

Finally, because CockroachDB supports distributed SQL, developers sometimes assume that strong consistency alone is sufficient for security. Consistency does not equate to authorization. Without explicit row-level checks and scoped queries that enforce tenant boundaries, an Express application can allow privilege escalation or unauthorized data access. MiddleBrick’s Property Authorization and BFLA checks are designed to catch these gaps by correlating spec definitions with runtime behavior.

Remediation focuses on strict input validation, parameterized queries, and explicit authorization checks before data access. Always treat identifiers from the client as untrusted and verify permissions against the authenticated subject using a dedicated authorization layer.

const express = require('express');
const { Pool } = require('pg');
const app = express();

const pool = new Pool({
  connectionString: process.env.COCKROACHDB_URI,
  ssl: {
    rejectUnauthorized: true,
  },
});

app.get('/users/:userId', async (req, res) => {
  const authenticatedUserId = req.session.userId;
  const targetUserId = req.params.userId;

  if (!authenticatedUserId || authenticatedUserId !== targetUserId) {
    return res.status(403).json({ error: 'forbidden' });
  }

  const query = 'SELECT id, email, created_at FROM users WHERE id = $1';
  const values = [targetUserId];

  try {
    const { rows } = await pool.query(query, values);
    if (rows.length === 0) {
      return res.status(404).json({ error: 'not found' });
    }
    res.json(rows[0]);
  } catch (err) {
    res.status(500).json({ error: 'internal server error' });
  }
});

In this example, the Express route enforces that the authenticated user can only access their own profile. The CockroachDB query uses parameterized inputs ($1) to prevent SQL injection and does not rely on client-supplied identifiers for access control decisions. The SSL configuration ensures encrypted connections, addressing encryption and data exposure concerns flagged by MiddleBrick.

For tenant-aware applications, scope queries by tenant identifier and validate ownership before returning results:

app.get('/records/:recordId', async (req, res) => {
  const userId = req.session.userId;
  const recordId = req.params.recordId;

  const query = `
    SELECT r.id, r.data, r.tenant_id
    FROM records r
    INNER JOIN memberships m ON r.tenant_id = m.tenant_id
    WHERE r.id = $1 AND m.user_id = $2
  `;
  const values = [recordId, userId];

  try {
    const { rows } = await pool.query(query, values);
    if (rows.length === 0) {
      return res.status(403).json({ error: 'access denied' });
    }
    res.json(rows[0]);
  } catch (err) {
    res.status(500).json({ error: 'internal server error' });
  }
});

This pattern demonstrates Property Authorization by ensuring that access is granted only when the user is a member of the tenant associated with the record. The query explicitly joins membership tables instead of trusting the record’s tenant_id alone, which aligns with BOLA/IDOR prevention guidance provided by MiddleBrick’s scans.

Finally, integrate MiddleBrick into your workflow using the CLI to validate fixes:

• Scan from terminal with middlebrick scan <url>
• Add API security checks to your CI/CD pipeline with the GitHub Action
• Track scores over time using the Web Dashboard