Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Detecting Base64 Encoded Authentication Requests

Passive Detection

Monitoring networks for potential security violations can uncover some interesting events and surprising aspects of applications.
Base64 encoding is used by many applications to "obscure" the password when it travels across the network. Base64 encoding does not implement a cryptographic algorithm to protect sensitive information, yet is often used in many networks and end-user applications.



The Passive Vulnerability Scanner (PVS) has a rule to detect clients that are sending authentication credentials (username and password) in Base64 format:

pvs-3018a.png

Using the information provided by PVS, we could construct a very short Perl command to reveal the plain-text password (note: there are many methods and programs that trivially decode base64):

$ echo cGF1bDpzZWNyZXQ= | perl -MMIME::Base64 -ne 'print decode_base64($_),"\n"'

paul:secret

Running PVS gave me insight into which applications were using Base64 as the encoding mechanism for authentication. I found a few applications associated with the popular social networking site "Twitter" to be vulnerable:

  • Twitterific - This application, in its default configuration, sends each request over HTTP and base64 encodes the credentials for the entire session.
  • Tweetdeck - The initial authentication request is now sent over HTTPS (it is still Base64 encoded inside the HTTPS stream). However, if you click on a user's profile within the application it sends the Base64 encoded credentials over HTTP.

  • PVS has another plugin to detect Base64 encoded passwords in any web server that may be in your environment. For example, the Basic Authentication method is implemented in most web servers and is comprised of Base64 encoded credentials. PVS plugin 4225, "HTTP Server basic Authentication Detection" provides this and will generate an alert as follows:

    pvs-4225-example2a.png

    The above screenshot comes from a Tenable research site (hence we cannot show the IP addresses or URLs). I like the fact that this plugin provides the web server path and associated application that triggered the alert. Armed with this information, you can easily track down the offending application. This is a great example of how PVS can be used on your network to keep track of pesky applications that may be using Base64 encoding for authentication credentials.

    Active Detection

    You may also want make sure that your internal applications, such as Apache and IIS web servers, are not configured to use "Basic" authentication. The PVS alert above was generated from an Apache 2.2 web server, using the following configuration:


    AllowOverride AuthConfig
    AuthType Basic
    AuthName "Secret Files"
    AuthUserFile /var/www/secret/.htpasswd
    Require valid-user

    When you login to this particular web site you will be presented with a username and password dialog box requesting your credentials:

    Apache-BasicAuth.png

    The Nessus vulnerability scanner provides a network-based check that will look for the presence of Basic authentication, plugin ID 34850, "Web Server Uses Basic Authentication" as seen below:

    ness-34850.png

    However, there is always a risk that the directory or application that is using "Basic" authentication will not be found by Nessus from the network. This can happen if the directory that is protected using this mechanism is not found in the discovery phase of the scan. To solve this problem Tenable ProfessionalFeed customers can use the compliance checking features of Nessus to audit the Web Server configuration. We provide a compliance file for Apache servers that can be found in Downloads -> Compliance and Audit Files -> Configuration Audit Policies. Then under "Tenable Configuration Audits" download the "Apache Best Practices" compliance checks. I added the following compliance check:

    
    type             : FILE_CONTENT_CHECK_NOT
    description      : "Check if AuthType entry in httpd.conf is correctly set"
    file             : "httpd.conf"
    search_locations : "/usr/local/apache/conf:/etc/httpd"
    regex            : "^[^#]*AuthType .*"
    expect           : "AuthType Basic"
    
    

    The above compliance check will look through the Apache configuration file (that must be placed in the locations listed in the "search_locations" directive) and find any occurrences of "AuthType Basic". If this configuration exists, this test will fail and create an entry in the resulting report:

    AuthType-Failed.png

    As part of a defense-in-depth strategy, you need to have many checks and balances. Relying on just one method of detection is typically not enough. With the example above, we can see how passive network analysis, network vulnerability scanning and local compliance auditing can be used in conjunction with each other to help identify risk on your network.

    References

  • Fun with Basic auth and Base64 encoding by Larry Pesce
  • Apache Project Documentation - Authentication, Authorization and Access Control
  • Passive Discovery of User Accounts - Tenable Blog

  • Related Articles

    Cybersecurity News You Can Use

    Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Try Tenable Web App Scanning

    Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

    Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

    Buy Tenable Web App Scanning

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    5 FQDNs

    $3,578

    Buy Now

    Try Tenable Lumin

    Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

    Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

    Buy Tenable Lumin

    Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

    Try Tenable Nessus Professional Free

    FREE FOR 7 DAYS

    Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

    NEW - Tenable Nessus Expert
    Now Available

    Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

    Fill out the form below to continue with a Nessus Pro Trial.

    Buy Tenable Nessus Professional

    Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

    Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

    Select Your License

    Buy a multi-year license and save.

    Add Support and Training

    Try Tenable Nessus Expert Free

    FREE FOR 7 DAYS

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Already have Tenable Nessus Professional?
    Upgrade to Nessus Expert free for 7 days.

    Buy Tenable Nessus Expert

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Select Your License

    Buy a multi-year license and save more.

    Add Support and Training