Skip to content

H3-2022-0075

Public-Facing Application Exposed with HTTP Basic Authentication

Category SECURITY_MISCONFIGURATION
Base Score 3.0

Description

An application utilizing HTTP basic authentication is accessible via the Internet. Credentials sent using basic authentication are sent in HTTP headers and may be cached in web browsers. Cached credentials may be abused for CSRF attacks. Additionally, basic authentication credentials are sent unencrypted in each HTTP request, increasing the risks of interception and credential reuse. Basic authentication applications also do not provide protections against brute force attacks.

Impact

Basic authentication credentials are subject to CSRF attacks, interception, brute force, and credential reuse. Attackers may abuse basic authentication to steal a user's credential and/or gain unauthorized access to an application.

References