HIGH regex dosbasic auth

Regex Dos with Basic Auth

Scan your API now

How Regex Dos Manifests in Basic Auth

Regex Denial of Service (ReDoS) in Basic Auth contexts occurs when authentication logic uses vulnerable regular expressions to validate credentials, creating a computational complexity trap that attackers can exploit to exhaust server resources.

The most common Basic Auth vulnerability involves credential validation patterns like this:

const isValidBasicAuth = (username, password) => {
  const pattern = /^([a-zA-Z0-9]+)@([a-zA-Z0-9]+)\.([a-zA-Z0-9]+)$/;
  return pattern.test(username) && pattern.test(password);
};

This appears benign but becomes catastrophic when paired with regex engines that use backtracking. The pattern ([a-zA-Z0-9]+) creates exponential time complexity for certain inputs. An attacker sending aaaaaaaaaaa! as both username and password triggers catastrophic backtracking, consuming CPU cycles for seconds or minutes.

Real-world exploitation patterns include:

  • Credential stuffing amplification: Attackers send slightly malformed credentials that force the regex engine to explore thousands of backtracking paths
  • Timing attack vectors: The variable response times from regex evaluation leak information about password structure
  • Resource exhaustion cascades: A single malicious request can tie up worker threads, preventing legitimate authentication attempts
  • Denial of service amplification: Multiple concurrent ReDoS requests can exhaust CPU resources entirely

The vulnerability is particularly insidious in Basic Auth because it sits in the authentication layer—the first security check. A successful ReDoS attack blocks all subsequent security controls, creating a single point of failure.

Basic Auth-Specific Detection

Detecting ReDoS vulnerabilities in Basic Auth requires analyzing both the regex patterns and their runtime behavior. Static analysis tools often miss these issues because the problematic patterns appear valid syntactically.

Key detection patterns for Basic Auth implementations:

// Vulnerable pattern examples to scan for
const dangerousPatterns = [
  /(a+)+b/,           // Exponential backtracking
  /([a-z]+)+$/,       // Nested quantifiers
  /(a|aa)+b/,        // Alternating patterns
  /([0-9]+)*[a-z]/   // Optional groups with quantifiers
];

Runtime detection requires monitoring authentication endpoints for:

  • Response time anomalies: Authentication responses that vary by seconds indicate regex evaluation problems
  • CPU utilization spikes: Authentication requests correlating with CPU load increases
  • Thread pool exhaustion: Authentication failures causing worker thread starvation

middleBrick's Basic Auth scanner specifically targets these vulnerabilities by:

  1. Analyzing credential validation regex patterns for exponential complexity
  2. Testing with crafted inputs designed to trigger catastrophic backtracking
  3. Measuring response time variance across authentication attempts
  4. Identifying nested quantifiers and overlapping patterns

The scanner tests patterns like:

// Test inputs for ReDoS detection
const testInputs = [
  'a'.repeat(10) + '!',           // Simple backtracking trigger
  'a'.repeat(20) + 'b',           // Exponential trigger
  'a'.repeat(15) + 'b' + 'a'.repeat(15), // Alternating pattern
];

Security teams should also monitor authentication logs for:

  • Requests with unusual credential lengths (extremely long or oddly structured)
  • Authentication attempts that take significantly longer than average
  • Failed logins with patterns suggesting regex exploitation attempts

Basic Auth-Specific Remediation

Remediating ReDoS in Basic Auth requires replacing vulnerable regex patterns with safe alternatives and implementing proper validation strategies. The most effective approach combines input validation, safe pattern matching, and rate limiting.

Safe Basic Auth credential validation:

// Safe username/password validation
const validateBasicAuth = (username, password) => {
  // Length limits prevent resource exhaustion
  if (username.length > 255 || password.length > 255) {
    return false;
  }
  
  // Use non-backtracking patterns or direct string methods
  const isValid = (input) => {
    // Simple character class validation without quantifiers
    for (let char of input) {
      if (!char.match(/[a-zA-Z0-9]/)) {
        return false;
      }
    }
    return true;
  };
  
  return isValid(username) && isValid(password);
};

Alternative safe approaches:

// Using built-in string methods (no regex)
const validateWithoutRegex = (username, password) => {
  const isSafe = (input) => {
    return /^[a-zA-Z0-9]+$/.test(input); // Simple pattern, no backtracking
  };
  return isSafe(username) && isSafe(password);
};

// Precompiled safe patterns
const safePattern = /^[a-zA-Z0-9]{1,255}$/;
const validateWithSafePattern = (username, password) => {
  return safePattern.test(username) && safePattern.test(password);
};

Additional protective measures:

  • Timeouts: Implement authentication timeouts to prevent long-running regex evaluations
  • Rate limiting: Limit authentication attempts per IP or user to reduce ReDoS impact
  • Input sanitization: Reject credentials with suspicious patterns before regex evaluation
  • Monitoring: Alert on authentication response times exceeding thresholds

Framework-specific implementations:

// Express.js middleware with protection
const express = require('express');
const rateLimit = require('express-rate-limit');

const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // limit each IP to 5 requests per windowMs
  message: 'Too many authentication attempts'
});

const basicAuthMiddleware = (req, res, next) => {
  const authHeader = req.headers.authorization;
  if (!authHeader || !authHeader.startsWith('Basic ')) {
    return res.status(401).send('Missing Basic Auth');
  }
  
  try {
    const base64Credentials = authHeader.split(' ')[1];
    const credentials = Buffer.from(base64Credentials, 'base64').toString('ascii');
    const [username, password] = credentials.split(':');
    
    // Safe validation with timeout
    const validationTimeout = setTimeout(() => {
      return res.status(429).send('Authentication timeout');
    }, 100); // 100ms timeout
    
    const isValid = validateBasicAuth(username, password);
    clearTimeout(validationTimeout);
    
    if (!isValid) {
      return res.status(401).send('Invalid credentials');
    }
    
    next();
  } catch (error) {
    return res.status(401).send('Invalid credentials');
  }
};

Related CWEs: inputValidation

CWE IDNameSeverity
CWE-20Improper Input Validation HIGH
CWE-22Path Traversal HIGH
CWE-74Injection CRITICAL
CWE-77Command Injection CRITICAL
CWE-78OS Command Injection CRITICAL
CWE-79Cross-site Scripting (XSS) HIGH
CWE-89SQL Injection CRITICAL
CWE-90LDAP Injection HIGH
CWE-91XML Injection HIGH
CWE-94Code Injection CRITICAL
Scan your API now Free API security scan

Frequently Asked Questions

How can I test if my Basic Auth implementation is vulnerable to ReDoS?
Use middleBrick's free scanner to analyze your Basic Auth endpoints. The scanner tests with crafted inputs designed to trigger catastrophic backtracking and measures response time variance. Look for authentication responses that vary by more than 100ms between similar requests, or test locally by sending credentials with patterns like 'a'.repeat(20) + 'b' and measuring response times.
What's the difference between ReDoS and regular regex performance issues?
Regular regex performance issues involve slow but predictable execution times, while ReDoS creates exponential complexity that can cause seconds or minutes of CPU time for a single request. ReDoS specifically exploits regex engines' backtracking mechanisms—certain patterns like nested quantifiers or overlapping alternatives cause the engine to explore exponentially many paths. In Basic Auth, this means an attacker can block your authentication system with a single malformed credential.

Related Pages

Regex Dos in APIsLearn how Regex DoS vulnerabilities can crash your API endpoints, how to detect them with middleBrick's security scannerBasic Auth API SecurityLearn how Basic Auth works in APIs, common misconfigurations that lead to breaches, and concrete hardening techniques toRegex Dos on AwsLearn how Regex DoS attacks exploit AWS APIs through catastrophic backtracking, detection methods using CloudWatch and mRegex Dos on AzureLearn how Regex DoS attacks specifically target Azure Functions, Logic Apps, and API Management, with detection methods Hipaa: Regex DosLearn how Regex DoS vulnerabilities impact HIPAA compliance in healthcare APIs, with detection methods and code fixes foIso 27001: Regex DosISO 27001 requirements for regex denial of service: detection, remediation, and compliance alignment with availability cCis: Regex DosLearn how Critical Information Leakage (Cis) manifests in Regex Dos through specific code patterns, detection methods, aGdpr: Regex DosLearn how GDPR-related APIs are vulnerable to Regex DoS attacks, how middleBrick detects them, and how to fix unsafe regRegex Dos in Adonisjs with Basic AuthRegex DoS risks in AdonisJS with Basic Auth: causes, secure code examples, and remediation steps. Learn detection and fiRegex Dos in Axum with Basic AuthLearn how Regex Dos can arise in Axum with Basic Auth, and apply concrete Rust code fixes to remove vulnerable patterns Regex Dos in Actix with Basic AuthRegex Dos in Actix with Basic Auth: causes, impact, and secure remediation patterns with code examples.Regex Dos in Aspnet with Basic AuthRegex Dos in ASP.NET with Basic Auth: causes, remediation, and secure code examples to prevent credential parsing vulner