Basic HTTP auth

owasp:api2:2019-no-http-basic

Rule Severity:

High

Ensure endpoints do not use http basic authentication scheme
This rule applies at the API Specification level (OAS/Swagger).
Endpoints with weak authentication mechanisms are at risk of being breached. Basic authentication should only be used with other security mechanisms such as HTTPS/SSL
An HTTP Authentication scheme is the way an API is set up to challenge the credentials of users who want to interact with it. In HTTP Basic authentication, since the included credentials are base64-encoded (and not encrypted), they can be easily decoded by anyone who intercepts the HTTP request. Therefore, it is crucial to use HTTP Basic Authentication in conjunction with HTTPS to ensure the credentials are transmitted securely. Bearer authentication is a more secure alternative that requires an API to only authenticate users who bear an appropriate access token. The access token (bearer token) in Bearer auth is a cryptic object usually provided by an API after successful login. Bearer format JWT (JSON Web Token) is the recommended object structure for the access token.

Example Attack Scenario

Brute Force Attacks: Attackers can attempt to guess usernames and passwords by repeatedly sending authentication requests with different combinations of credentials. Since Basic authentication does not include mechanisms to prevent multiple login attempts, it is susceptible to brute force attacks, especially if weak or easily guessable passwords are used.

1. How to Identify with Example Scenario

securitySchemes:  
 authType:     
  # arbitrary name for the security scheme    
  type: http    
  scheme: basic

1. How to Resolve with Example Scenario

securitySchemes:  
 authType:     
 # arbitrary name for the security scheme    
  type: http    
  scheme: bearer

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings