Cross-site scripting (XSS) in an Express API that uses HTTP Basic Authentication can arise when authentication data and user-controlled content are handled inconsistently. Basic Auth encodes credentials in the Authorization header as base64(username:password); this mechanism does not protect the endpoint against injected scripts if the server reflects user input into HTML, XML, or JSON responses without proper escaping.

Consider an Express route that reads a username from Basic Auth and echoes it into a response. If the route directly embeds the decoded username into an HTML body or JSON field that is later rendered in a browser context, an attacker can supply a malicious string such as <script>stealCookies()</script>. When the browser parses the response, it executes the injected script in the context of the authenticated session. This combination is notable because authentication proves identity but does not imply sanitization; revealing the authenticated identity can also aid social engineering or chained attacks.

In more complex flows, an attacker might supply credentials containing script-like content (e.g., a username with encoded characters) and observe how the server reflects them. Because Basic Auth credentials are often logged or echoed in error messages, developers might inadvertently expose sensitive information or provide an injection vector. XSS is commonly categorized in the OWASP API Top 10 under Security Misconfiguration and Insufficient Input/Output Validation, and it frequently intersects with Identity and Authentication weaknesses such as BOLA/IDOR when authorization checks are incomplete.

An unauthenticated scan using middleBrick can surface these issues by probing endpoints that accept Basic Auth and checking whether reflected data is properly encoded. The tool tests input validation and output encoding across multiple character sets and contexts (HTML body, attributes, JavaScript). Findings include severity levels and remediation guidance mapped to frameworks such as OWASP API Top 10 and PCI-DSS, helping teams prioritize fixes without requiring internal architecture details.

Secure handling of Basic Auth in Express requires strict separation between authentication and output encoding. Never embed raw credentials or user-controlled data directly into HTML, and apply context-aware escaping for JSON and HTML responses.

Example: Unsafe reflection of Basic Auth username

// UNSAFE: reflects username without escaping
app.get('/profile', (req, res) => {
  const auth = req.headers.authorization || '';
  const token = auth.split(' ')[1];
  const decoded = Buffer.from(token, 'base64').toString('utf-8');
  const [user] = decoded.split(':');
  res.send(`
Welcome ${user}
`);
});

An attacker with credentials alice<script>alert(1)</script>:pass can execute JavaScript in the victim’s browser. To fix this, apply appropriate escaping based on the response context.

Safe HTML response with escaping

const escapeHtml = (unsafe) => {
  return unsafe.replace(/[<>"'/]/g, (char) => {
    const map = {
      '&': '&',
      '<': '<',
      '>': '>',
      '"': '"',
      ''': ''',
      '/': '/'
    };
    return map[char] || char;
  });
};

app.get('/profile', (req, res) => {
  const auth = req.headers.authorization || '';
  const token = auth.split(' ')[1];
  const decoded = Buffer.from(token, 'base64').toString('utf-8');
  const [user] = decoded.split(':');
  const safeUser = escapeHtml(user);
  res.send(`
Welcome ${safeUser}
`);
});

Safe JSON response for frontend consumption

app.get('/api/user', (req, res) => {
  const auth = req.headers.authorization || '';
  const token = auth.split(' ')[1];
  const decoded = Buffer.from(token, 'base64').toString('utf-8');
  const [user] = decoded.split(':');
  // Ensure Content-Type is application/json
  res.setHeader('Content-Type', 'application/json');
  res.send(JSON.stringify({ username: user }));
});

When the frontend reads this JSON and injects it into the DOM, it should still use safe methods such as textContent or a templating library that escapes by default. For production, consider using established libraries for escaping and a strict Content-Security-Policy to mitigate the impact of any remaining XSS risks. middleBrick can validate that reflected fields are properly encoded and that endpoints using Basic Auth do not leak credentials in error messages, providing prioritized findings and remediation steps.

Additional hardening steps include enforcing HTTPS to prevent credential interception, avoiding logging of Authorization headers, and implementing rate limiting to reduce abuse potential. The Pro plan supports continuous monitoring and CI/CD integration so that future changes to authentication or output handling can be automatically validated before deployment.