Pentesting Basic Authentication
Table of Contents
We’ve all seen this before:
But what goes on behind the scenes? Let’s dive in and explore basic authentication.
What is Basic Authentication?
Basic Authentication is a lightweight authentication scheme designed to allow administrators to protect web-based applications with a username and password.
While appropriate for non-critical applications, basic authentication does not always meet modern standards for secure applications. When compared to cookie-based session management schemes, basic authentication is generally considered inferior and obsolete.
Basic Auth Example
After authenticating, a web browser will include the following header with every request:
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
The Base64 string dXNlcm5hbWU6cGFzc3dvcmQ= decodes to username:password.
What are Realms?
Basic Authentication supports optional ‘realms` which can divide areas of an application to be protected by different credentials. This allows the server to use different databases and different credentials sets for various parts of the application.
Most configurations will not require this.
Is Basic Authentication Secure?
Basic Authentication can be used in a secure fashion, however, there are a number of fundamental behaviors that many would consider insecure by default. The security requirements of an application should be taken on a case by case basis.
Problems with Basic Authentication
Below are some of the primary security risks with basic authentication:
-
The username and password are sent in every request. Although they are encoded with Base64, this does not add any security since they can be decoded easily.
-
Most configurations of Basic Authentication do not implement protection against password brute forcing.vFor external-facing systems, this may pose a heightened risk as anyone on the internet can attempt to brute force passwords for weeks, months, or years.
-
Logout functionality is not supported. Although there are workarounds for this, they are not supported by all browsers.
-
Passwords cannot be easily reset. If a user loses their credentials, they should be able to reset their password immediately. This is not possible in most basic authentication implementations.
Pentesting Basic Authentication
Basic authentication is a frequent vulnerability reported during pentests, however, pentesters should take care to evaluate these specific vulnerabilities:
-
Is sensitive information revealed in a
realm? On external networks, a realm should not reveal internal information such as system names. -
Is account lockout functionality implemented? Some implementations support lockouts, so it should not be assumed this control doesn’t exist.
Leveraging your tools when testing applications using basic auth can help as well. In Burpsuite under User Options, you can store your credentials to avoid repetitive logouts:
In other situations you may find yourself needing to pass basic auth credentials with curl. In which case, can be done with:
curl -u username:password http://