Insecure basic authentication¶
ID: java/insecure-basic-authKind: path-problemSecurity severity: 8.8Severity: warningPrecision: mediumTags: - security - external/cwe/cwe-522 - external/cwe/cwe-319Query suites: - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
Basic authentication only obfuscates usernames and passwords in Base64 encoding, which can be easily recognized and reversed, thus it must not be transmitted over the cleartext HTTP channel. Transmitting sensitive information without using HTTPS makes the data vulnerable to packet sniffing.
Recommendation¶
Either use a more secure authentication mechanism like digest authentication or federated authentication, or use the HTTPS communication protocol.
Example¶
The following example shows two ways of using basic authentication. In the ‘BAD’ case, the credentials are transmitted over HTTP. In the ‘GOOD’ case, the credentials are transmitted over HTTPS.
publicclassInsecureBasicAuth{/** * Test basic authentication with Apache HTTP request. */publicvoidtestApacheHttpRequest(Stringusername,Stringpassword){// BAD: basic authentication over HTTPStringurl="http://www.example.com/rest/getuser.do?uid=abcdx";// GOOD: basic authentication over HTTPSurl="https://www.example.com/rest/getuser.do?uid=abcdx";HttpPostpost=newHttpPost(url);post.setHeader("Accept","application/json");post.setHeader("Content-type","application/json");StringauthString=username+":"+password;byte[]authEncBytes=Base64.getEncoder().encode(authString.getBytes());StringauthStringEnc=newString(authEncBytes);post.addHeader("Authorization","Basic "+authStringEnc);}/** * Test basic authentication with Java HTTP URL connection. */publicvoidtestHttpUrlConnection(Stringusername,Stringpassword){// BAD: basic authentication over HTTPStringurlStr="http://www.example.com/rest/getuser.do?uid=abcdx";// GOOD: basic authentication over HTTPSurlStr="https://www.example.com/rest/getuser.do?uid=abcdx";StringauthString=username+":"+password;Stringencoding=Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));URLurl=newURL(urlStr);HttpURLConnectionconn=(HttpURLConnection)url.openConnection();conn.setRequestMethod("POST");conn.setDoOutput(true);conn.setRequestProperty("Authorization","Basic "+encoding);}}
References¶
SonarSource rule:Basic authentication should not be used.
Acunetix:WEB VULNERABILITIES INDEX - Basic authentication over HTTP.
Common Weakness Enumeration:CWE-522.
Common Weakness Enumeration:CWE-319.