HIGH request smugglingfeathersjsbasic auth

Request Smuggling in Feathersjs with Basic Auth

Scan for request smuggling in feathersjs

Request Smuggling in Feathersjs with Basic Auth

Request smuggling occurs when an attacker sends a request that is interpreted differently by a frontend proxy (like a load balancer or CDN) and a backend server. In Feathersjs applications that use Basic Auth without strict message validation, this mismatch can expose smuggling risks. Feathersjs is a framework that typically runs behind a reverse proxy; if the proxy and the Feathers server handle request boundaries differently, an attacker can craft a request that contains two HTTP messages concatenated in a single TCP stream.

With Basic Auth, the Authorization header is often trusted implicitly once present. A common smuggling pattern involves sending a request with two requests combined—for example, a valid request followed by a malicious one—where the proxy terminates TLS and forwards only the first request to Feathers, while the backend processes both. Because Feathersjs parses the request stream as a single HTTP message, the second request may be interpreted as part of the next connection handled by the server, potentially bypassing authentication or route protections applied at the proxy layer.

Consider a Feathers service configured with default JSON parsing middleware. An attacker might send:

POST /users HTTP/1.1
Host: example.com
Authorization: Basic dXNlcjpwYXNz
Content-Length: 44

{"name":"alice"}
GET /admin HTTP/1.1
Host: example.com
Authorization: Basic dXNlcjpwYXNz

If the proxy uses a different Content-Length interpretation than Feathersjs, the second request may be processed with elevated privileges or outside the intended service scope. Basic Auth does not inherently prevent this; it only provides credentials. Without strict header validation and consistent message framing, Feathersjs may process the second request as if it were part of the same transaction, leading to unauthorized access or data exposure.

Additionally, if the API accepts chunked transfer encoding without enforcing strict Content-Length policies, an attacker can exploit ambiguities in how the framework buffers and parses the stream. This is particularly relevant when Basic Auth is handled via headers that are passed through unchanged. The risk is not in Basic Auth itself, but in how Feathersjs and its hosting layer agree on request boundaries when authentication headers are present.

Basic Auth-Specific Remediation in Feathersjs

To mitigate request smuggling in Feathersjs when using Basic Auth, enforce strict HTTP message parsing and avoid relying on header-based trust. The key is to ensure that Feathersjs and any fronting proxies agree on how to interpret request boundaries, particularly Content-Length and Transfer-Encoding headers.

First, explicitly configure the underlying HTTP server used by Feathers to reject ambiguous or malformed messages. Use the http module options to disable automatic parsing of chunked encodings when not needed and to enforce strict Content-Length validation.

Example of a secure Feathers server setup with Basic Auth and strict headers:

const feathers = require('@feathersjs/feathers');
const express = require('@feathersjs/express');
const auth = require('basic-auth');

const app = express(feathers());

// Enforce strict header parsing
app.use((req, res, next) => {
  const credentials = auth(req);
  if (!credentials || credentials.name !== 'admin' || credentials.pass !== 'secret') {
    res.set('WWW-Authenticate', 'Basic realm="example"');
    return res.status(401).send('Authentication required');
  }
  // Reject requests with both Content-Length and Transfer-Encoding
  if (req.headers['transfer-encoding'] && req.headers['content-length']) {
    return res.status(400).send('Invalid message framing');
  }
  next();
});

app.use('/api', {
  find() {
    return [{ id: 'secure-data' }];
  }
});

app.listen(3030);

This middleware checks credentials and explicitly rejects requests that mix Transfer-Encoding and Content-Length, which is a common smuggling indicator. By validating the Authorization header on every request and ensuring consistent message framing, Feathersjs processes only well-formed HTTP messages.

Additionally, configure your reverse proxy (e.g., Nginx) to strip or reject ambiguous headers before they reach Feathersjs:

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    location / {
        proxy_pass http://localhost:3030;
        proxy_set_header Host $host;
        # Reject requests with both headers
        if ($http_transfer_encoding != "" && $http_content_length != "") {
            return 400;
        }
        proxy_set_header Authorization $http_authorization;
    }
}

By aligning the proxy and Feathersjs on message boundaries and explicitly validating the presence of conflicting headers, you reduce the risk of request smuggling. MiddleBrick scans can help identify such configuration issues by testing unauthenticated attack surfaces, even when Basic Auth is in use.

Scan for request smuggling in feathersjs Free API security scan

Frequently Asked Questions

Does using Basic Auth in Feathersjs prevent request smuggling?
No. Basic Auth only provides credentials and does not enforce strict HTTP message parsing. Request smuggling depends on how request boundaries are interpreted, which is independent of authentication.
Can middleBrick detect request smuggling in Feathersjs with Basic Auth?
Yes. middleBrick runs unauthenticated black-box scans that include request smuggling checks, even when Basic Auth headers are present, and reports findings with remediation guidance.

Related Pages

Request Smuggling in FeathersjsLearn how request smuggling exploits Feathersjs applications through HTTP parsing inconsistencies, with specific detectiRequest Smuggling with Basic AuthRequest smuggling in Basic Auth APIs exploits HTTP parsing ambiguities to smuggle authenticated requests. Learn detectioRequest Smuggling in Feathersjs on Fly IoUnderstand and remediate request smuggling in FeathersJS on Fly.io with concrete code fixes and validation steps.Request Smuggling in Feathersjs on SupabaseExplore request smuggling risks in Feathersjs with Supabase, and apply concrete fixes like header normalization and RLS-Request Smuggling in Feathersjs on RailwayUnderstand and remediate request smuggling in Feathersjs apps on Railway with precise header validation and middleware ePci Dss: Request Smuggling in FeathersjsExplore how request smuggling affects PCI DSS compliance in Feathersjs APIs, with concrete remediation code and scanningSoc2: Request Smuggling in FeathersjsExplore how request smuggling affects SOC 2 controls in FeathersJS apps and apply concrete middleware fixes to align heaIso 27001: Request Smuggling in FeathersjsExplore ISO 27001 controls applied to request smuggling in Feathersjs, with concrete remediation code and header validatCis: Request Smuggling in FeathersjsDetect and remediate request smuggling Cis in FeathersJS with concrete fixes, header validation, and transport hardeningRequest Smuggling in Feathersjs with FirestoreExplore request smuggling in FeathersJS with Firestore, understand how proxy parsing and Firestore routing create risk, Request Smuggling in Feathersjs with DynamodbExplore request smuggling in Feathersjs with DynamoDB, understand the risks, and apply concrete code fixes to secure youRequest Smuggling in Feathersjs with CockroachdbExplore request smuggling in Feathersjs with Cockroachdb, understand how deployment and parsing inconsistencies create r