Null Pointer Dereference in Express with Basic Auth

A null pointer dereference in an Express application using HTTP Basic Authentication occurs when code attempts to access a property or method on an authentication-derived value that is null or undefined. This combination is common because Basic Auth headers must be parsed and validated before use, and if the header is missing, malformed, or rejected, the resulting user object may not be instantiated.

Consider an Express route that expects a user object after Basic Auth validation. If the authentication middleware does not guarantee a user object—due to a missing Authorization header or an invalid credential—the developer might directly access req.user.id or req.user.permissions without a null check. In JavaScript, this results in a runtime error: Cannot read properties of null (reading 'id'). An unauthenticated scanner can trigger this by sending requests without credentials or with an incorrect Base64-encoded header, causing the application to crash or return a 500 error that reveals stack traces or internal paths.

From an OWASP API Top 10 perspective, this maps to API1:2023 – Broken Object Level Authorization when the absence of a user leads to improper access checks, and can intersect with API2:2023 – Broken Authentication if the error responses aid an attacker in probing valid accounts. A real-world pattern resembles CVE-2021-23337-like null dereference scenarios where unchecked objects lead to denial of service or information leakage. The scanner’s Authentication check will flag missing or weak Basic Auth implementation, while the BOLA/IDOR check may detect inconsistent authorization states when user objects are unexpectedly null.

In a black-box scan, middleBrick tests unauthenticated endpoints and may include requests with an Authorization header set to an invalid Basic string. If the Express app throws an unhandled exception instead of responding with a controlled 401 or 400, the scan reports a high-severity finding with a risk score impact. Proper error handling and validation of the parsed credentials are essential to prevent the runtime from reaching a null state.

Remediation focuses on validating the presence and correctness of the Authorization header before accessing nested properties. Always check that the parsed user object exists and conforms to expected shapes. Below is a secure Express pattern using HTTP Basic Auth with explicit null guards and consistent error responses.

const express = require('express');
const app = express();
const auth = require('basic-auth');

function verifyCredentials(user, pass) {
  // Replace with secure credential store lookup
  return user === 'admin' && pass === 's3cur3P@ss';
}

app.use((req, res, next) => {
  const credentials = auth(req);
  if (credentials == null) {
    res.set('WWW-Authenticate', 'Basic realm="example"');
    return res.status(401).json({ error: 'Authentication required' });
  }
  if (!verifyCredentials(credentials.name, credentials.pass)) {
    return res.status(401).json({ error: 'Invalid credentials' });
  }
  req.user = { id: 'u-123', name: credentials.name };
  next();
});

app.get('/secure-data', (req, res) => {
  if (req.user == null) {
    return res.status(401).json({ error: 'Unauthorized' });
  }
  // Safe to access nested properties
  res.json({ userId: req.user.id, role: 'admin' });
});

app.listen(3000);

Key practices:

• Use the basic-auth package to parse the header, which returns null when missing rather than throwing.
• Check credentials == null before accessing .name or .pass to avoid null pointer dereference on malformed input.
• Set the WWW-Authenticate header on 401 responses to comply with the Basic Auth protocol and guide clients.
• Assign a minimal user object after validation so downstream routes can safely read req.user.id without additional guards.
• Return JSON error bodies with a consistent structure to avoid leaking stack traces that an LLM or attacker could exploit.

In production, integrate secret management for credentials and prefer token-based or session-based auth where feasible. The CLI command middlebrick scan <url> can validate that your endpoints no longer trigger null pointer dereferences under unauthenticated and authenticated probes.