icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

HTTP Server Basic Authentication Detection

Medium

Synopsis

The remote host passes information across the network in an insecure manner.

Description

The remote server requires authentication for certain resources. However, the server does not require a strong encryption of the passed credentials. Specifically, the server allows clients to send credentials using HTTP Basic authentication. The client credentials are passed in plaintext and slightly obfuscated by using base64 encoding. Such encoding is trivial and a passive attacker with the ability to sniff the traffic can easily gain access to a user's credentials.

Solution

Use SSL or a stronger authentication mechanism.