Http Insecure Digest Auth
Description
This detector identifies web applications that use HTTP Digest Authentication over unencrypted HTTP connections. While Digest Authentication is more secure than Basic Authentication, transmitting it over HTTP still exposes authentication credentials to man-in-the-middle attacks and network eavesdropping, compromising user security.
Detection Strategy
• The target URL must use the HTTP protocol (not HTTPS)
• The HTTP response must contain a WWW-Authenticate header
• The WWW-Authenticate header must specify 'digest' as the authentication type
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.