Fluid Attacks Database

Description

Detects when a web application uses Basic Authentication over unencrypted HTTP connections. Basic Authentication transmits credentials in base64 encoding (effectively cleartext), making them vulnerable to interception when used without HTTPS encryption.

Weakness:

015 - Insecure authentication method - Basic

Category: Protocol Manipulation

Detection Strategy

• The URL must start with 'http://' (not https://)

• The server response must include a WWW-Authenticate header

• The WWW-Authenticate header must specify 'Basic' as the authentication type

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.