Shared mutable state vulnerability (web backend)

The shared mutable state vulnerability is a general problem in applications. In this note, it is about web backends speficially.

---

Sharing state in an web backend can be a dangerous idea, as in my backend frameworks and programming languages, this state will persist between user sessions. Thus, user B might gather information user A left in this state.

See an example in Express.js:

// This will be shared! 
let template = null;
 
app.get('/foo', (req, res) => {
  template = req.query.template; // overwrites for all 
  res.send('OK');
});
 
// Correct: only bound to single request
app.get('/bar', (req, res) => {
  let template = req.query.template; 
  res.send('OK');
});

This problem is not just bound to global, mutable variables in languages like JavaScript. Rather, such state can be achieved through:

• Databases
• Caching systems
• Written files
• Not correctly cleaned up memory in lower-level languages
• Mutated default objects (as in Monkey patching), e. g. when writing to the global object
• A misbehaving third-party API (which might return sensitive, cached information, from a previous request)

While shared mutable state isn’t always an security issue, it rather is an anti-pattern, generally speaking.

References

• https://manishearth.github.io/blog/2015/05/17/the-problem-with-shared-mutability/
• https://exploringjs.com/deep-js/ch_shared-mutable-state.html