Authentication route use Basic Auth

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Description

The API endpoint uses an authentication protocol that is not considered secure. The “HTTP/1.0” protocol includes the specification for a Basic Access Authentication scheme. That scheme is not a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.

There are a few issues with HTTP Basic Auth:

  • The password is sent over the wire in base64 encoding, which can easily be converted to plaintext if the request was intercepted.
  • The password is sent repeatedly, for each request creating a large attack window.
  • Does not support logout or session management

Rationale

This finding works by identifying an API that accepts Basic Authentication as the authentication mechanism.

Remediation

  • Replace the Basic or Digest accesss authentication with a secure one. Some strong authentication protocols for web-based applications include:

    • Use of Token-Based authentication, implementing temporary access grants by using Access and Refresh tokens (RFC-8898).
    • Public key authentication, usually implemented over HTTPS with an SSL client certificate.

References

ReferenceDescription
OWASP - Authentication Cheat SheetAuthentication Cheat Sheet: guidance on the best practices in authentication area.
OWASP - REST Security Cheat SheetREST Security Cheat Sheet: guidance on the best practices in REST services implementation.