Injection Flaws in Express with Bearer Tokens

Injection flaws in Express when Bearer tokens are used center on how APIs validate, parse, and pass authorization context into business logic. A Bearer token is typically sent in the Authorization header as Authorization: Bearer <token>. If the application treats the token as untrusted input and incorporates it into dynamic queries, command construction, or template rendering without proper validation or escaping, injection becomes possible.

For example, concatenating a token-derived value into a database query or shell command can lead to SQL injection or command injection. Tokens may also be logged or echoed in error messages, enabling token exfiltration via injection-based output handling. Because the token often represents delegated identity, injection against token-using endpoints can escalate impact: an attacker who injects via a token may access or modify data on behalf of other users.

Express middleware that parses tokens and attaches user claims to req can inadvertently propagate attacker-controlled data if claims are derived from untrusted sources or if token introspection is bypassed. Injection-prone patterns include building LDAP filters, constructing MongoDB queries with concatenated strings, or using template literals to generate dynamic responses that include token metadata. These patterns intersect with the 12 security checks middleBrick runs in parallel: Input Validation, Authentication, Property Authorization, and Unsafe Consumption, among others.

Consider an endpoint that uses a token’s sub claim to query a user profile without server-side idempotent validation:

// Risky: directly using claims from token-derived user input
app.get('/users/:username', (req, res) => {
  const username = req.params.username;
  // If username originates from or is influenced by token claims, injection possible
  db.query('SELECT * FROM users WHERE username = \' + username + '\'');
});

Even when tokens themselves are not directly interpolated, endpoints that combine token-based authorization with dynamic query construction expose injection surfaces. The same applies to APIs that accept token-bound parameters in request bodies or headers and forward them to downstream services without sanitization, enabling SSRF or injection into external systems.

middleBrick’s unauthenticated scan tests these surfaces by checking whether endpoints reflect or misuse token-derived data, validating input against schema constraints, and verifying that authorization checks precede data operations. Findings map to OWASP API Top 10 (e.g., API1:2023 Broken Object Level Authorization) and common compliance frameworks such as PCI-DSS and SOC2, emphasizing the need to treat token context as part of the attack surface.

Remediation focuses on strict input validation, avoiding concatenation of token-derived or user-influenced data into sensitive operations, and ensuring authorization checks are independent of injection-prone transformations.

1. Parameterized queries and prepared statements

Always use parameterized queries or an ORM with built-in escaping. Do not concatenate user input or token claims into SQL strings.

// Safe: parameterized query with a placeholder
app.get('/users/:username', (req, res) => {
  const username = req.params.username;
  db.query('SELECT * FROM users WHERE username = ?', [username], (err, rows) => {
    if (err) return res.status(500).send('DB error');
    res.json(rows);
  });
});

2. Validate and sanitize all inputs influenced by token claims

Treat data derived from token claims as untrusted. Validate type, length, format, and range before use. Use a validation library to enforce schemas.

// Safe: validate token-derived or user input before use
const { body, validationResult } = require('express-validator');

app.post('/data', [
  body('search').isString().trim().escape()
], (req, res) => {
  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).json({ errors: errors.array() });
  }
  // Proceed with sanitized input
  res.json({ ok: true });
});

3. Avoid dynamic command construction

Never build shell commands with token-derived or user-controlled strings. Use whitelisted commands and argument arrays; if absolutely necessary, use a well-audited escaping library.

// Safe: avoid dynamic command building; use explicit exec with fixed binary
const { execFile } = require('child_process');
app.get('/convert/:filename', (req, res) => {
  const filename = req.params.filename;
  // Validate filename pattern strictly
  if (!/^[
a-zA-Z0-9_.-]+$/.test(filename)) {
    return res.status(400).send('Invalid filename');
  }
  execFile('convert', ['--safe', filename], (err, stdout) => {
    if (err) return res.status(500).send('Conversion failed');
    res.send(stdout);
  });
});

4. Enforce strict CORS and header handling

Ensure tokens are not inadvertently reflected in responses or logs. Avoid sending Authorization headers to frontend origins unless necessary, and strip sensitive headers from error responses.

// Safe: remove sensitive headers from error responses
app.use((err, req, res, next) => {
  res.removeHeader('Authorization');
  res.status(500).send('Internal error');
});

5. Scope token usage and apply principle of least privilege

Configure token scopes and claims to limit what data endpoints can act upon. Validate scopes server-side before performing sensitive operations.

// Safe: verify scope claim before sensitive action
app.post('/admin/export', verifyToken, (req, res) => {
  const scopes = req.auth.scopes || [];
  if (!scopes.includes('export:data')) {
    return res.status(403).send('Insufficient scope');
  }
  // Proceed with export
  res.json({ exported: true });
});

Using middleBrick’s CLI, you can scan from terminal with middlebrick scan <url> to validate these mitigations against runtime behavior. For CI/CD, the GitHub Action adds API security checks to your pipeline and can fail builds if risk scores drop below your chosen threshold. Teams with continuous monitoring needs may prefer the Pro plan, which supports scheduled scans and alerts.