Under the Hood #1: Basic Authentication

TL;DR Get familiar with how Basic Authentication looks like in HTTP Proxy traffic. Understand the security implications. At minimum, HTTPS must be enforced when using Basic Authentication.

Many a time, the discussion goes to and fro between pentesters and developers:

Developer:

It is hidden on the page, no user can see!

Pentester:

That data can be seen in the traffic!

and the confusion ensues.

Though post is not about how hidden data can be unearthed from the page ( see here for how client side protection doesn’t matter), I guess it might be helpful to have some visual example of how some of the key technologies looks like behind the beautifully craft to web pages.

How it looks like: Basic Authentication

A sample page which implements Basic Authentication: the user is requires to provide username and password to authenticate. The browser traffic can be configured to proxy through some HTTP Proxy tools to see the sample traffic. ( coming soon: how to set up HTTP proxy tool)

When browser request is proxied through HTTP proxy such as Burp, above traffic can be seen. The left side of screenshot shows the HTTP request that browser sent and the right side of the screenshot shows HTTP response that server replied to the browser. The browser sent Basic Authorisation header with every request. Note the seemingly complex value Z3V1c3Q6Z3Vlc3Q= in the header

In reality, Z3Vlc3Q6Z3Vlc3Q= is Base64 encoded string and can be easily decoded to plaintext value of guest:guest

Is it secure?

• Though this authentication type can be considered as rather old technology, I still come across many applications using this type of authentication, especially in the “internal” networks or intranet applications. Some might say this authentication system is insecure due to both username and password being transmitted in plaintext (yes.. Base64 doesn’t count as encryption.. it is just a form of encoding. You just saw how easily it can be decoded.).
• On the other hand, some argues that as long as HTTPS is strictly enforced when Basic Authentication is used, it makes no difference from other cookie/form based authentication (due to the fact that most website sent username/password plaintext to the server when submitting through login form).
• Basic Authentication is unable to leverage the conventional Session Management protective mechanism. (This is a topic for another day.. I guess).

The security baseline:

• Whichever side you are on, the HTTPS is a must when using Basic Authentication. You will be surprised how many intranet application using HTTP communication channel.

No reason not to use HTTPS:

• Nowadays, there is no reason not to use HTTPS. The major browsers are marking the HTTP site as insecure. ( check how Chrome is doing it and Firefox is doing it) .
• If one worries about the cost of buying SSL certificate, there are free initiatives promoting secure web. (check free SSL certificate by Let’s encrypt).

Conclusion

Get familiar with how Basic Authentication looks like to the pentesters and understand the security implications.

Of course, the post is based on the personal experience and online references, one shall not believe internet posts without proper research.

Code securely and stay safe! it’s a mad world out there! :D