Description

The API endpoint uses an authentication protocol that is not considered secure over a non encrypted channel. The “HTTP/1.0” protocol includes the specification for a Basic Access Authentication scheme. That scheme is not a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.

There are a few issues with HTTP Basic Auth:

• The password is sent over the wire in base64 encoding (which can easily be converted to plaintext).
• The password is sent repeatedly, for each request, creating a large attack window)
• Does not support logout or session management

Using plain HTTP for APIs is a significant security risk because it exposes sensitive data to potential interception, manipulation, and unauthorized access, services must only provide HTTPS endpoints

Rationale

This finding works by identifying an API that:

• Accepts Basic Authentication as authentication mechanism
• Uses an HTTP connection, sending data in the clear over the wire

Remediation

• Replace the Basic or Digest accesss authentication with a secure one. Some strong authentication protocols for web-based applications include:

  • Token-Based authentication, implementing temporary access grants by using Access and Refresh tokens (RFC-8898).
  • Public key authentication (usually implemented with a HTTPS / SSL client certificate)

• Implement the HTTP Strict Transport Security (HSTS) header to instruct the user’s browser to always request the site over HTTPS.

References