1. Introduction
Basic Authentication Detected indicates that a web page is protected using Basic authentication, a simple method for securing HTTP communications. This poses a security risk as credentials are sent encoded but not encrypted, making them vulnerable to interception by attackers. Systems commonly affected include web servers and applications utilizing HTTP basic authentication. A successful attack could compromise confidentiality, integrity, and availability of the protected resource.
2. Technical Explanation
The vulnerability occurs when a web application relies on Basic Authentication without implementing Transport Layer Security (TLS) to encrypt the communication channel. An attacker can intercept network traffic and decode the Base64 encoded username and password, gaining unauthorized access. Preconditions include an unencrypted HTTP connection between the client and server.
- Root cause: The use of Basic Authentication over plain HTTP without TLS encryption.
- Exploit mechanism: An attacker intercepts the HTTP traffic using tools like Wireshark or a proxy, decodes the Base64 encoded credentials from the Authorization header, and uses these credentials to access the application. For example, an attacker could use a man-in-the-middle attack on a public Wi-Fi network.
- Scope: Web servers and applications using HTTP Basic Authentication without TLS encryption are affected.
3. Detection and Assessment
Confirming vulnerability involves checking for the presence of Basic authentication headers in HTTP responses. A thorough assessment includes analyzing web application configurations and traffic patterns.
- Quick checks: Use a browser’s developer tools to inspect network requests and look for an ‘Authorization’ header with ‘Basic’ credentials when accessing protected pages.
- Scanning: Nessus plugin ID 10384 can detect Basic Authentication without TLS. This is provided as an example only.
- Logs and evidence: Web server logs may show authentication attempts using Basic Authentication. Look for HTTP requests containing the ‘Authorization’ header.
curl -v https://example.com/protected-page 2>> /dev/null | grep Authorization4. Solution / Remediation Steps
Fixing this issue requires disabling Basic Authentication or enabling TLS encryption for all HTTP communications. The following steps provide a precise guide to secure the application.
4.1 Preparation
- Ensure you have access to modify the web server configuration and restart the service. A rollback plan involves restoring the original configuration file.
- A change window may be required depending on the production environment, with approval from system owners.
4.2 Implementation
- Step 1: Enable TLS encryption (HTTPS) for the web application using a valid SSL/TLS certificate.
- Step 2: Disable Basic Authentication in the web server configuration.
- Step 3: Restart the web server to apply the changes.
4.3 Config or Code Example
Before
# Apache configuration example (httpd.conf)
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswdAfter
# Apache configuration example (httpd.conf) - Remove the above lines and ensure HTTPS is enabled
Listen 443 https
SSLEngine on
... other SSL configurations ...4.4 Security Practices Relevant to This Vulnerability
Several security practices directly address this vulnerability type. Implementing TLS encryption, using strong authentication methods, and regularly reviewing server configurations can prevent unauthorized access.
- Practice 1: Use TLS encryption (HTTPS) for all web communications to protect data in transit.
- Practice 2: Implement multi-factor authentication (MFA) to add an extra layer of security beyond username and password.
4.5 Automation (Optional)
# Example Ansible task to disable Basic Authentication in Apache configuration
- name: Disable Basic Authentication
lineinfile:
path: /etc/httpd/conf/httpd.conf
regexp: '^AuthType Basic'
state: absent5. Verification / Validation
Confirming the fix involves verifying that TLS encryption is enabled and Basic Authentication is disabled. A negative test ensures unauthorized access is prevented without valid credentials.
- Post-fix check: Use a browser’s developer tools to confirm HTTPS is used when accessing the web application.
- Re-test: Re-run the earlier detection method (curl command) and verify that no ‘Authorization’ header is present in the response.
- Smoke test: Ensure users can still access protected resources using a secure authentication method like TLS client certificates or other forms of MFA.
- Monitoring: Monitor web server logs for any failed authentication attempts, which could indicate an ongoing attack.
curl -v https://example.com/protected-page 2>> /dev/null | grep Authorization # Should return no output6. Preventive Measures and Monitoring
Preventive measures include updating security baselines, implementing secure coding practices, and regularly patching systems. For example, ensure TLS is enabled by default in all new web application deployments.
- Baselines: Update your server baseline to require TLS encryption for all web applications.
- Pipelines: Integrate SAST tools into the CI/CD pipeline to identify and prevent insecure configurations like Basic Authentication over HTTP.
- Asset and patch process: Implement a regular patch cycle for web servers and applications to address known vulnerabilities promptly.
7. Risks, Side Effects, and Roll Back
Potential risks include service disruption if TLS configuration is incorrect or compatibility issues with older clients. Roll back steps involve restoring the original web server configuration file.
- Risk or side effect 2: Older clients may not support TLS, causing compatibility issues. Mitigation: Provide alternative access methods for older clients if necessary.
- Roll back: Restore the original web server configuration file from backup and restart the service.
8. References and Resources
- Vendor advisory or bulletin: Check your web server vendor’s website for specific guidance on disabling Basic Authentication.
- NVD or CVE entry: https://nvd.nist.gov/vuln/detail/CVE-2018-13379
- Product or platform documentation relevant to the fix: https://httpd.apache.org/docs/2.4/ssl/