Nodejs Express defaults to case insensitive routing apparently:
http://stackoverflow.com/a/21216582
This could be problematic when combined with the Endpoints x-google-allow=all feature and auth enforced by ESP. ESP correctly does case sensitive path matching and if x-google-allow=all is set, it would let unmatched requests go to the backend.
If the Nodejs Express backend does its path matching in a case insensitive manner, an attacker can easily bypass ESP's auth checks by using "/eCHo" instead of "/echo"
Does that make sense?
Nodejs Express defaults to case insensitive routing apparently:
http://stackoverflow.com/a/21216582
This could be problematic when combined with the Endpoints x-google-allow=all feature and auth enforced by ESP. ESP correctly does case sensitive path matching and if x-google-allow=all is set, it would let unmatched requests go to the backend.
If the Nodejs Express backend does its path matching in a case insensitive manner, an attacker can easily bypass ESP's auth checks by using "/eCHo" instead of "/echo"
Does that make sense?