| Details | |
|---|---|
| Alert ID | 10105-1 |
| Alert Type | Passive |
| Status | release |
| Risk | Medium |
| CWE | 287 |
| WASC | 1 |
| Technologies Targeted | All |
| Tags |
CWE-287 OWASP_2017_A02 OWASP_2017_A03 OWASP_2021_A01 OWASP_2021_A02 WSTG-V42-ATHN-01 |
| More Info |
Scan Rule Help |
Summary
An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted. The attacker eavesdrops on the network until an authentication has completed.
Solution
Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken.Other Info
[POST] [http://www.example.com] uses insecure authentication mechanism [Digest], revealing username [admin] and additional information [username="admin", realm="members only"].References
- https://owasp.org/www-community/attacks/Brute_force_attack
- https://en.wikipedia.org/wiki/Digest_access_authentication