Authentication route use Basic Auth

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

The API endpoint uses an authentication protocol that is not considered secure. The “HTTP/1.0” protocol includes the specification for a Basic Access Authentication scheme. That scheme is not a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.

There are a few issues with HTTP Basic Auth:

  • The password is sent over the wire in base64 encoding, which can easily be converted to plaintext if the request was intercepted.
  • The password is sent repeatedly, for each request creating a large attack window.
  • Does not support logout or session management

Rationale

This finding works by identifying an API that accepts Basic Authentication as the authentication mechanism.

Remediation

  • Replace the Basic or Digest accesss authentication with a secure one. Some strong authentication protocols for web-based applications include:

    • Use of Token-Based authentication, implementing temporary access grants by using Access and Refresh tokens (RFC-8898).
    • Public key authentication, usually implemented over HTTPS with an SSL client certificate.

References

ReferenceDescription
OWASP - Authentication Cheat SheetAuthentication Cheat Sheet: guidance on the best practices in authentication area.
OWASP - REST Security Cheat SheetREST Security Cheat Sheet: guidance on the best practices in REST services implementation.