Header Injection in Adonisjs with Basic Auth

Header Injection occurs when an attacker can control or influence HTTP response headers, enabling cross-site scripting, HTTP response splitting, or cache poisoning. In AdonisJS applications that rely on Basic Authentication, this risk arises when user-controlled input (such as a username or password parameter) is reflected into headers without proper sanitization. For example, if route handling logic reads credentials from request headers or query strings and then passes them to a header-setting function like response.header(), newline characters (CRLF) in the input can inject additional headers or split the response body.

Basic Auth credentials are typically transmitted via the Authorization header in the format Basic base64(username:password). If the application decodes this value and uses the username or password directly in constructing other headers, any embedded carriage return or line feed characters can compromise header integrity. AdonisJS does not inherently sanitize these values, so developers must treat them as untrusted. A common pattern that is vulnerable is using decoded Basic Auth fields to set custom headers for logging or routing without validation:

// Vulnerable: using decoded Basic Auth values directly in headers
const authHeader = request.headers().authorization
if (authHeader && authHeader.startsWith('Basic ')) {
  const decoded = Buffer.from(authHeader.split(' ')[1], 'base64').toString('utf-8')
  const [username, password] = decoded.split(':')
  // Risk: username or password may contain CRLF
  response.header('X-User', username)
}

In this scenario, if username contains sequences like \r\nX-Injected: true, the header injection can add or overwrite downstream headers. This can distort caching behavior, enable reflected XSS if injected headers influence client-side rendering, or interfere with security headers such as Content-Security-Policy. Because Basic Auth is often used for simple API access or internal services, developers may assume the transport is private and neglect output encoding, increasing the attack surface. The combination of AdonisJS's flexible request handling and the implicit trust placed in decoded credentials makes this a realistic vector in unauthenticated or improperly validated endpoints.

Header Injection in this context is not about bypassing authentication but about corrupting the response structure. An attacker who can influence the username or password used in Basic Auth can manipulate headers that affect logging, routing, or downstream proxies. This is particularly relevant when endpoints parse credentials, transform them, and set headers without strict allowlists or encoding. Since middleBrick tests unauthenticated attack surfaces, including endpoints that rely on Basic Auth, such header-level weaknesses can be detected as part of the Data Exposure and Input Validation checks.

To remediate Header Injection in AdonisJS when using Basic Auth, ensure that any user-influenced data used to construct headers is strictly validated and sanitized. Do not directly embed decoded credentials into headers. Instead, use allowlisted values or hash-sensitive fields before inclusion. Below are concrete, safe patterns.

1. Avoid using decoded credentials in headers

Do not pass raw username or password values into response headers. If you need to tag requests for logging, use an internally generated, non-sensitive identifier:

// Safe: generate a request-scoped ID instead of echoing credentials
const crypto = require('crypto')
const requestId = crypto.randomUUID()
response.header('X-Request-ID', requestId)
// Do not set X-User with username

2. Sanitize inputs if headers are necessary

If you must include user-derived data in headers, enforce strict allowlists and remove or encode CRLF characters:

// Safe: sanitize newlines and enforce format
const sanitize = (value) => {
  return value.replace(/\r|\n/g, '')
}
const authHeader = request.headers().authorization
if (authHeader && authHeader.startsWith('Basic ')) {
  const decoded = Buffer.from(authHeader.split(' ')[1], 'base64').toString('utf-8')
  const [username, password] = decoded.split(':')
  response.header('X-User-Safe', sanitize(username))
}

3. Use AdonisJS middleware to enforce authentication without header reflection

Leverage AdonisJS middleware to validate credentials and avoid exposing them in headers. For example, use the built-in auth utilities to verify Basic Auth and set only safe, internal headers:

// Start command or provider: auth provider with Basic validation
const { createServer } = require('@adonisjs/fold')
const Server = use('Server')

Server.use(async ({ auth, request, response }, next) => {
  const authHeader = request.headers().authorization
  if (!authHeader || !authHeader.startsWith('Basic ')) {
    return response.status(401).send('Unauthorized')
  }
  const decoded = Buffer.from(authHeader.split(' ')[1], 'base64').toString('utf-8')
  const [username, password] = decoded.split(':')
  // Validate against a secure store; do not echo credentials in headers
  const isValid = await validateBasicCredentials(username, password)
  if (!isValid) {
    return response.status(401).send('Unauthorized')
  }
  await next()
})

async function validateBasicCredentials(username, password) {
  // Replace with secure lookup and constant-time comparison
  return username === 'admin' && password === 's3curePass!'
}

4. Enforce header integrity and testing

Configure AdonisJS to treat headers as immutable after setting them in critical routes, and test with CRLF payloads to confirm injection resistance. middleBrick can detect missing input validation and header injection risks during unauthenticated scans, helping you verify that user-controlled values are not reflected in headers.