Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Plaintext HTTP Authentication Detection

Tenable's research group recently added checks to both Nessus and the Passive Vulnerability Scanner to detect HTTP authentication which occurs over plain-text. This blog entry will discuss why this is an issue, and how the detection methods work.

HTTP Plain Text Authentication Security Risks

If you are new to security and you were analyzing how logins to an HTTP server worked, you would not observe your password. Instead, the HTTP protocol will send an encoded string of your password such as this:

Authorization: Basic cGFzc3dvcmQ=

The form of encoding used is not strong encryption, it is just a way to keep the information from being directly recognized by a human. The algorithm used by web servers is known as "Base 64". Encoding and decoding Base 64 passwords is very easy, which makes it very insecure. There are even online forms where you can encode and decode strings. If you copy the above "cGFzc3dvcmQ=" string into a base 64 decoder, you'll see it is the word 'password'.

Security Risks of Plain Text Authentication

Obviously anyone who can sniff a login session to a web application can gain user name and password information. What is more interesting is why these logins occur in the first place. There are several reasons:

First, security is often added later on in the development of web applications. A very stereotypical view of unsecured application development is to imagine someone working on the core functionality of the application and then worry about authentication later.

And secondly, many applications and web management consoles don't care if they are running over HTTPS (a secured web server) or over plain text. When systems are put into production, unsecured access to the plain text web server on port 80 can be forgotten to be disabled or blocked at the firewall. Application and firmware upgrades can sometimes roll back changes and end up re-enabling the unsecured web server.

Detecting Web Servers and Clients Using Plain text Authentication

Nessus plugin #26194 "Web Server Uses Plain Text Authentication Forms" detects remote web servers that have one or more forms which contain a field named 'password'. This script is dependent on the results of the web_mirror.nasl script which performs a wide variety of web site analysis.

PVS plugins #3018 and #4225 detect both web servers and clients which use plain text HTTP authentication. Since the PVS sniffs both sides of any network session, it can see which web servers accept plain text HTTP authentication as well as which clients are also using this.

Both the Nessus and PVS techniques will discover and observe web servers on port 80 and will also recognize web servers running on non-standard ports.

When analyzing the results from both Nessus and the PVS, consider the location and environment where the test is performed. For example, being able to connect to the web management interface of a router from an internal network is not the same as being able to log into a web application interface from the Internet. Both targets might use plain text HTTP authentication, but have different levels of access to potential attackers.

When analyzing large numbers of systems in an enterprise, tools like the Security Center can help make sense of which assets accept plain text HTTP authentication and may be at higher risk.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security