Format String in Django with Basic Auth

A format string vulnerability occurs when user-controlled input is passed directly into a string formatting function such as str.format or percent-style formatting without proper sanitization. In Django, combining this with HTTP Basic Authentication can unintentionally expose sensitive data or enable further exploitation. Basic Authentication encodes a username and password in Base64 and sends them in the Authorization header as Basic <base64-encoded-credentials>. If the server logs or error messages incorporate the decoded username using an unsafe format string, an attacker may manipulate placeholders to reveal internal state or cause crashes.

Consider a scenario where a Django view decodes the Basic Auth header and logs the username using Python’s % operator:

username, password = basic_auth_decode(request.META.get('HTTP_AUTHORIZATION'))
log_message = 'User login: %s' % username  # Unsafe if username is untrusted

If username contains format specifiers such as %s, %d, or %f, Python may consume additional values from the stack or produce exceptions, potentially leaking memory contents or causing denial of service. In a more severe case, an attacker could supply %s%s%s%s to influence log parsing or trigger information disclosure through crafted error output.

When Django’s logging configuration includes request details, an attacker can probe the application by sending crafted Basic Auth credentials and observe how logs are generated. Although Django itself does not use unsafe formatting internally, developers might combine decoded credentials with log aggregation or monitoring tools that later process these strings insecurely. The risk is amplified when the application runs in environments where log access is less restricted than the web application itself.

Another vector involves custom authentication backends that process the decoded credentials and construct messages for external systems. For example, integrating with legacy protocols or internal APIs that expect fixed-format strings may inadvertently pass user-controlled data into format operations. Because Basic Auth credentials are often treated as opaque tokens, developers may overlook the need to sanitize or validate them before interpolation.

To detect this combination during scanning, tools like middleBrick analyze unauthentated attack surfaces and flag instances where authentication data may be reflected in logs, errors, or outputs without safe handling. The presence of both Basic Auth and user-driven string formatting increases the likelihood of information leakage or instability, even if the immediate entry point is limited to the authentication header.

Securing Django applications that use HTTP Basic Authentication requires avoiding direct string interpolation of decoded credentials and ensuring safe handling at every stage. The primary goal is to prevent user-controlled data from influencing format strings or logs in a way that can be abused.

Use Python’s str.format_map with a dictionary that explicitly allows known keys, or use string.Template for simpler substitutions, and avoid % formatting when dealing with external input. For logging, rely on structured logging with dedicated parameters instead of embedding credentials in format strings.

Example of unsafe code to avoid:

from django.http import HttpResponse
from django.contrib.auth.models import User

def unsafe_login_view(request):
    auth = request.META.get('HTTP_AUTHORIZATION', '')
    if auth.startswith('Basic '):
        import base64
        decoded = base64.b64decode(auth[6:]).decode('utf-8')
        username, password = decoded.split(':', 1)
        # Unsafe: user-controlled username used in % formatting
        log_entry = 'User attempted login: %s' % username
        print(log_entry)
        # Authentication logic omitted for brevity
        return HttpResponse('OK')
    return HttpResponse('Unauthorized', status=401)

Secure alternative using logging with structured data and avoiding format-string interpolation of credentials:

import logging
import base64
from django.http import HttpResponse

logger = logging.getLogger(__name__)

def safe_login_view(request):
    auth = request.META.get('HTTP_AUTHORIZATION', '')
    if auth.startswith('Basic '):
        decoded_bytes = base64.b64decode(auth[6:])
        decoded = decoded_bytes.decode('utf-8')
        username, password = decoded.split(':', 1)
        # Safe: pass username as structured log data, not format string
        logger.info('User login attempt', extra={'username': username})
        # Perform authentication safely
        user = User.objects.filter(username=username).first()
        if user and user.check_password(password):
            return HttpResponse('OK')
    return HttpResponse('Unauthorized', status=401)

When constructing messages for external systems, validate and sanitize all inputs, and prefer using explicit mapping or concatenation instead of dynamic format strings. For compliance and traceability, tools like middleBrick can scan the authentication flow and highlight places where credentials may be reflected in logs or error responses, helping developers align with frameworks such as OWASP API Top 10.

Additionally, consider migrating from Basic Auth to token-based mechanisms where feasible, reducing the exposure of credentials in headers. If Basic Auth is required, enforce HTTPS to protect credentials in transit and apply rate limiting to mitigate brute-force attacks. The combination of secure coding practices and continuous scanning ensures that format string issues are identified early in the development lifecycle.