Php Basic Auth Header Hardcoded Credentials
Description
Detects PHP applications using hardcoded HTTP Basic Authentication credentials in curl requests. Storing authentication credentials directly in source code is a security risk as it can lead to credential exposure through source code access or version control systems.
Detection Strategy
• Identifies curl_setopt function calls in PHP code that set HTTP headers (CURLOPT_HTTPHEADER)
• Examines if the header values contain 'basic' and 'auth' strings, indicating Basic Authentication usage
• Reports a vulnerability when Basic Authentication credentials are directly specified in the code rather than being retrieved from secure configuration
Vulnerable code example
<?php
// Minimal example demonstrating unsafe Basic Auth credential handling
$username = 'username'; // Hardcoded credentials are a security risk
$password = 'password';
$headers = [
'Authorization: Basic ' . base64_encode($username . ':' . $password),
'Content-Type: application/json'...✅ Secure code example
<?php
// Load credentials securely from environment variables
$username = getenv('API_USERNAME'); // Credentials from environment, not hardcoded
$password = getenv('API_PASSWORD');
if (!$username || !$password) {
throw new RuntimeException('API credentials not properly configured');
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.