Authentication route uses Basic Auth without HTTPS

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Description

The API endpoint uses an authentication protocol that is not considered secure over a non encrypted channel. The “HTTP/1.0” protocol includes the specification for a Basic Access Authentication scheme. That scheme is not a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.

There are a few issues with HTTP Basic Auth:

  • The password is sent over the wire in base64 encoding (which can easily be converted to plaintext).
  • The password is sent repeatedly, for each request, creating a large attack window)
  • Does not support logout or session management

Using plain HTTP for APIs is a significant security risk because it exposes sensitive data to potential interception, manipulation, and unauthorized access, services must only provide HTTPS endpoints

Rationale

This finding works by identifying an API that:

  • Accepts Basic Authentication as authentication mechanism
  • Uses an HTTP connection, sending data in the clear over the wire

Remediation

  • Replace the Basic or Digest accesss authentication with a secure one. Some strong authentication protocols for web-based applications include:

    • Token-Based authentication, implementing temporary access grants by using Access and Refresh tokens (RFC-8898).
    • Public key authentication (usually implemented with a HTTPS / SSL client certificate)
  • Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.

References

ReferenceDescription
OWASP - Authentication Cheat SheetAuthentication Cheat Sheet: guidance on the best practices in authentication area.
OWASP - REST Security Cheat SheetREST Security Cheat Sheet: guidance on the best practices in REST services implementation.
OWASP - Transport Layer Security Cheat SheetTransport Layer Security Cheat Sheet: guidance implementing transport layer protection for applications using Transport Layer Security (TLS).