Authentication route uses Basic Auth without HTTPS
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
The API endpoint uses an authentication protocol that is not considered secure over a non encrypted channel. The “HTTP/1.0” protocol includes the specification for a Basic Access Authentication scheme. That scheme is not a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.
There are a few issues with HTTP Basic Auth:
- The password is sent over the wire in base64 encoding (which can easily be converted to plaintext).
- The password is sent repeatedly, for each request, creating a large attack window)
- Does not support logout or session management
Using plain HTTP for APIs is a significant security risk because it exposes sensitive data to potential interception, manipulation, and unauthorized access, services must only provide HTTPS endpoints
Rationale
This finding works by identifying an API that:
- Accepts Basic Authentication as authentication mechanism
- Uses an HTTP connection, sending data in the clear over the wire
Replace the Basic or Digest accesss authentication with a secure one. Some strong authentication protocols for web-based applications include:
- Token-Based authentication, implementing temporary access grants by using Access and Refresh tokens (RFC-8898).
- Public key authentication (usually implemented with a HTTPS / SSL client certificate)
Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.
References