Plaintext HTTP Authentication Detection

Tenable's research group recently added checks to both Nessus and the Passive Vulnerability Scanner to detect HTTP authentication which occurs over plain-text. This blog entry will discuss why this is an issue, and how the detection methods work.

HTTP Plain Text Authentication Security Risks

If you are new to security and you were analyzing how logins to an HTTP server worked, you would not observe your password. Instead, the HTTP protocol will send an encoded string of your password such as this:

Authorization: Basic cGFzc3dvcmQ=

The form of encoding used is not strong encryption, it is just a way to keep the information from being directly recognized by a human. The algorithm used by web servers is known as "Base 64". Encoding and decoding Base 64 passwords is very easy, which makes it very insecure. There are even online forms where you can encode and decode strings. If you copy the above "cGFzc3dvcmQ=" string into a base 64 decoder, you'll see it is the word 'password'.

Security Risks of Plain Text Authentication

Obviously anyone who can sniff a login session to a web application can gain user name and password information. What is more interesting is why these logins occur in the first place. There are several reasons:

First, security is often added later on in the development of web applications. A very stereotypical view of unsecured application development is to imagine someone working on the core functionality of the application and then worry about authentication later.

And secondly, many applications and web management consoles don't care if they are running over HTTPS (a secured web server) or over plain text. When systems are put into production, unsecured access to the plain text web server on port 80 can be forgotten to be disabled or blocked at the firewall. Application and firmware upgrades can sometimes roll back changes and end up re-enabling the unsecured web server.

Detecting Web Servers and Clients Using Plain text Authentication

Nessus plugin #26194 "Web Server Uses Plain Text Authentication Forms" detects remote web servers that have one or more forms which contain a field named 'password'. This script is dependent on the results of the web_mirror.nasl script which performs a wide variety of web site analysis.

PVS plugins #3018 and #4225 detect both web servers and clients which use plain text HTTP authentication. Since the PVS sniffs both sides of any network session, it can see which web servers accept plain text HTTP authentication as well as which clients are also using this.

Both the Nessus and PVS techniques will discover and observe web servers on port 80 and will also recognize web servers running on non-standard ports.

When analyzing the results from both Nessus and the PVS, consider the location and environment where the test is performed. For example, being able to connect to the web management interface of a router from an internal network is not the same as being able to log into a web application interface from the Internet. Both targets might use plain text HTTP authentication, but have different levels of access to potential attackers.

When analyzing large numbers of systems in an enterprise, tools like the Security Center can help make sense of which assets accept plain text HTTP authentication and may be at higher risk.