Description

The API endpoint uses an authentication protocol that is not considered secure. The “HTTP/1.0” protocol includes the specification for a Basic Access Authentication scheme. That scheme is not a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.

There are a few issues with HTTP Basic Auth:

• The password is sent over the wire in base64 encoding, which can easily be converted to plaintext if the request was intercepted.
• The password is sent repeatedly, for each request creating a large attack window.
• Does not support logout or session management

Rationale

This finding works by identifying an API that accepts Basic Authentication as the authentication mechanism.

Remediation

• Replace the Basic or Digest accesss authentication with a secure one. Some strong authentication protocols for web-based applications include:

  • Use of Token-Based authentication, implementing temporary access grants by using Access and Refresh tokens (RFC-8898).
  • Public key authentication, usually implemented over HTTPS with an SSL client certificate.

References