Typo fix in bypass-connect-csrf-protection-by-abusing.md (#141)

nikelborm · web-flow · commit e63aabe2eaa0 · 2024-03-04T11:55:07.000-07:00
diff --git a/docs/bypass-connect-csrf-protection-by-abusing.md b/docs/bypass-connect-csrf-protection-by-abusing.md
@@ -18,9 +18,9 @@ Considering the following code:
 
 ```js
 ...
-app.use express.csrf()
+app.use(express.csrf())
 ...
-app.use express.methodOverride()
+app.use(express.methodOverride())
 ```
 
 Connect's CSRF middleware does not check csrf tokens in case of idempotent verbs (GET/HEAD/OPTIONS, see lib/middleware/csrf.js). As a result, it is possible to bypass this security control by sending a GET request with a POST MethodOverride header or key.
