HTTP Server Basic Authentication Detection
Medium Nessus Network Monitor Plugin ID 4225
SynopsisThe remote host passes information across the network in an insecure manner.
DescriptionThe remote server requires authentication for certain resources. However, the server does not require a strong encryption of the passed credentials. Specifically, the server allows clients to send credentials using HTTP Basic authentication. The client credentials are passed in plaintext and slightly obfuscated by using base64 encoding. Such encoding is trivial and a passive attacker with the ability to sniff the traffic can easily gain access to a user's credentials.
SolutionUse SSL or a stronger authentication mechanism.