Qualys Web Application Scanning (WAS) has added a new QID for detection of Basic Authentication Scheme Over HTTP.
Originally authored by vkorde.
Web applications use Basic Access Authentication Scheme, a.k.a basic auth, for enforcing access controls to web resources. It’s the simplest scheme as it doesn’t have to deal with cookies or login page intricacies and rather uses standard HTTP headers, obviating the need for handshakes. Basic auth uses Base64 encoding to store the username and password in an HTTP header. Since Base64 encoding does not employ encryption, it is effectively cleartext. If basic auth is not used in conjunction with an external secure system, such as SSL or TLS, it’s vulnerable to packet sniffing.
Detailed steps for setting up basic auth on Apache HTTPD are available at Authentication and Authorization page in the Apache HTTP Server Version 2.4 documentation.
Requesting a resource secured by basic authentication generates the following HTTP response:
HTTP/1.1 401 Authorization Required
Date: Wed, 27 Jul 2016 11:59:35 GMT
Server: Apache/2.2.17 (Fedora) DAV/2 PHP/5.3.6 mod_ssl/2.2.17 OpenSSL/1.0.0d-fips mod_wsgi/3.1
WWW-Authenticate: Basic realm="Camelot Kingdom"
Content-Type: text/html; charset=iso-8859-1
If basic auth is not used in conjunction with an external secure system, such as SSL or TLS, it’s vulnerable to packet sniffing. The attacker can steal user credentials as they’re transferred over the wire in cleartext.
Qualys WAS reports a vulnerability when basic auth is used over unencrypted HTTP. The Qualys scanner supports multiple realms and is realm-name agnostic. It reports basic auth over HTTP vulnerability once for each unique realm in the application. For example, if all pages and/or directories of http://example.com/ are using basic auth over HTTP with the realm name "Camelot Kingdom", Qualys will report QID 150151 (Basic Auth Over HTTP) for the base URI http://example.com/ and the realm name "Camelot Kingdom" only once per scan.
The WWW-Authenticate header is extracted for parsing authentication type and the realm value. Further analysis is based on these parsed values. If the response header is found to be empty, the test is aborted.
If your application needs to implement basic auth it’s recommended that you use it with an external secure system such as SSL or TLS. Basic auth's RFC 2617 by definition advocates using an external secure system while implementing access controls for web resources using basic auth.