The following header was observed in the request to the given page:
Authorization: Basic **
What's the risk?
Contrast noticed browsers using HTTP Basic Authentication or Digest Authentication while communicating with the application. These protocols are old and are not intended to deliver enterprise-strength authentication.
The Basic Authentication protocol simply hides the plaintext username and password inside of Base64 encoding, and issues it as an AUTHORIZATION header. To any attacker sniffing network traffic, the credentials may as well be in plaintext. Base64 offers zero cryptographic functionality. It is a keyless, deterministic algorithm, and most attack tools decode such credentials automatically.
The Digest Authentication protocol is superior to Basic Authentication in that it doesn't offer a user's password in plaintext. Instead, it offers a method of authentication that proves knowledge of a secret (a password) without passing the password directly. Since RFC2617, the optional security features of Digest Authentication have been improved, but not enforced. The disadvantages of the protocol, including the changes in RFC2617, are subtle:
Digest authentication is easily attacked by a man-in-the-middle (MITM) scenario.
Use of digest authentication precludes the usage of recommended password digests like bcrypt. Passwords, or some digested combination of the password and other metadata must be available to the server in plaintext in order to use this protocol.
Recommendation
Moving authentication protocols is not easy. That being said, there are serious, fundamental weaknesses in the protocols chosen. The best, long term recommendation is to move towards a form-based authentication.
It is extremely unlikely that specification-driven HTTP authentication protocols will ever meet the security requirements of your organization. It's also unlikely that improvements to these protocols will be integrated into browsers and server frameworks in any reasonable amount of time.
Vulnerability ID: Y5ZX-GGN6-2S6J-ELPV
Application Name: AgentMessageGeneratorJava
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/6394f24f-037b-43bb-8ac2-05fa5fb5d862/vulns/Y5ZX-GGN6-2S6J-ELPV
What Happened?
Contrast detected browsers using HTTP {{#link}}http://en.wikipedia.org/wiki/Basic_access_authentication$$LINK_DELIM$$Basic Authentication{{/link}} or {{#link}}http://en.wikipedia.org/wiki/Digest_access_authentication$$LINK_DELIM$$Digest Authentication{{/link}} while communicating with the application. These protocols are old and are not intended to deliver enterprise-strength authentication.
The following header was observed in the request to the given page:
Authorization: Basic **
What's the risk?
Contrast noticed browsers using HTTP Basic Authentication or Digest Authentication while communicating with the application. These protocols are old and are not intended to deliver enterprise-strength authentication.
Recommendation
Moving authentication protocols is not easy. That being said, there are serious, fundamental weaknesses in the protocols chosen. The best, long term recommendation is to move towards a form-based authentication.
It is extremely unlikely that specification-driven HTTP authentication protocols will ever meet the security requirements of your organization. It's also unlikely that improvements to these protocols will be integrated into browsers and server frameworks in any reasonable amount of time.
First Event
(no event)Last Event
(no event)HTTP Request
GET http://localhosthttp://localhost/?foo=bar??foo=bar&id=23 HTTP/1.0 Authorization: Basic ** Host: localhost
References
https://www.owasp.org/index.php/Insecure_Configuration_Management