Authentication route uses Basic Auth without HTTPS

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

The API endpoint uses an authentication protocol that is not considered secure over a non encrypted channel. The “HTTP/1.0” protocol includes the specification for a Basic Access Authentication scheme. That scheme is not a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.

There are a few issues with HTTP Basic Auth:

  • The password is sent over the wire in base64 encoding (which can easily be converted to plaintext).
  • The password is sent repeatedly, for each request, creating a large attack window)
  • Does not support logout or session management

Using plain HTTP for APIs is a significant security risk because it exposes sensitive data to potential interception, manipulation, and unauthorized access, services must only provide HTTPS endpoints

Rationale

This finding works by identifying an API that:

  • Accepts Basic Authentication as authentication mechanism
  • Uses an HTTP connection, sending data in the clear over the wire

Remediation

  • Replace the Basic or Digest accesss authentication with a secure one. Some strong authentication protocols for web-based applications include:

    • Token-Based authentication, implementing temporary access grants by using Access and Refresh tokens (RFC-8898).
    • Public key authentication (usually implemented with a HTTPS / SSL client certificate)
  • Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.

References

ReferenceDescription
OWASP - Authentication Cheat SheetAuthentication Cheat Sheet: guidance on the best practices in authentication area.
OWASP - REST Security Cheat SheetREST Security Cheat Sheet: guidance on the best practices in REST services implementation.
OWASP - Transport Layer Security Cheat SheetTransport Layer Security Cheat Sheet: guidance implementing transport layer protection for applications using Transport Layer Security (TLS).