Xss Cross Site Scripting in Adonisjs with Basic Auth
Xss Cross Site Scripting in Adonisjs with Basic Auth — how this specific combination creates or exposes the vulnerability
Cross-site scripting (XSS) in AdonisJS when protected by HTTP Basic Auth can occur when untrusted data is rendered in the browser without proper encoding and the authentication mechanism does not prevent injection vectors. Basic Auth typically sends credentials in an Authorization header; while this header itself is not directly reflected into HTML, applications often combine authenticated routes with user-controlled input such as query parameters, route segments, request bodies, or headers that are later echoed into responses. If those inputs are not validated, escaped, or sanitized, an attacker can inject malicious scripts that execute in the context of the authenticated user’s session.
For example, an AdonisJS route that reads a username from Basic Auth (or a related user record) and then includes that username in an HTML response without escaping can lead to reflected XSS. Attackers may deliver a URL containing a script payload via a query parameter or a form field; if the application merges user-controlled data with HTML, the script can run in the victim’s browser under the privileges of the authenticated user. Because Basic Auth does not inherently protect against injection of malicious content into the response body, the vulnerability arises from insecure handling of input and output, not from the authentication scheme itself.
In the context of the 12 security checks run by middleBrick, XSS is evaluated as part of the Input Validation and Output Handling checks, with specific attention to how user-supplied data is processed before being rendered in HTML, JSON, or other executable contexts. Even when Basic Auth is in use, the scan verifies whether input validation rules, output escaping, and secure coding practices are applied consistently across the framework’s request lifecycle. This helps identify gaps where authenticated routes may still expose unsafe reflection points.
Basic Auth-Specific Remediation in Adonisjs — concrete code fixes
To mitigate XSS in AdonisJS with Basic Auth, ensure that all user-controlled data is validated and properly escaped before inclusion in HTML, JavaScript, or CSS contexts. Below are concrete remediation steps and code examples.
1. Validate and sanitize input
Use Joi or schema-based validation for query parameters, route parameters, and request bodies. Do not trust data derived from authentication-related sources.
import { schema } from '@ioc:Adonis/Core/Validator'\nconst usernameSchema = schema.create({
username: schema.string.escapingHTML()
})
export const rules = usernameSchema2. Use framework-level output escaping in Edge templates
When rendering user data in .edge templates, use built-in escaping to prevent script injection.
@if(user)Welcome {{ user.username }}@endif
The double curly braces {{ }} in AdonisJS Edge automatically escape output, neutralizing injected HTML and script content.
3. Explicitly encode when building HTML in controllers
If generating HTML fragments in JavaScript, use an encoding library or framework utilities instead of string concatenation.
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { escape } from 'escape-goat'
export default class UserController {
public show({ auth, response }: HttpContextContract) {
const user = auth.getUserOrFail()
const safeUsername = escape(user.username)
response.send(`Welcome ${safeUsername}`)
}
}4. Secure Basic Auth implementation example
Define a Basic Auth guard and apply it to routes while ensuring responses do not reflect raw credentials or unchecked input.
// start/hooks.ts
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { BasicAuth } from '@ioc:Adonis/Addons/BasicAuth'
export const authHooks = {
authenticate: async (context: HttpContextContract) => {
const basicAuth = new BasicAuth()
const user = await basicAuth.authenticate(context)
return user
}
}
// in routes.ts
import Route from '@ioc:Adonis/Core/Route'
import { authHooks } from 'App/Hooks'
Route.get('/profile', async ({ auth, response }) => {
const user = auth.getUserOrFail()
// Safe: username is validated and escaped in the view layer
return response.render('profile', { user })
}).middleware([authHooks.authenticate])
// config/auth.ts
export const auth = {
guard: 'basic',
basic: {
authenticate: async (username, password) => {
const user = await User.findBy('username', username)
if (user && user.verifyPassword(password)) {
return user
}
return null
}
}
}Combine these practices with continuous scanning using middleBrick’s CLI to detect XSS and related input validation issues early. The Pro plan can enable automated scans on a schedule and integrate checks into CI/CD pipelines to prevent regressions.
Related CWEs: inputValidation
| CWE ID | Name | Severity |
|---|---|---|
| CWE-20 | Improper Input Validation | HIGH |
| CWE-22 | Path Traversal | HIGH |
| CWE-74 | Injection | CRITICAL |
| CWE-77 | Command Injection | CRITICAL |
| CWE-78 | OS Command Injection | CRITICAL |
| CWE-79 | Cross-site Scripting (XSS) | HIGH |
| CWE-89 | SQL Injection | CRITICAL |
| CWE-90 | LDAP Injection | HIGH |
| CWE-91 | XML Injection | HIGH |
| CWE-94 | Code Injection | CRITICAL |