• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Insecure basic authentication

ID: java/insecure-basic-auth
Kind: path-problem
Security severity: 8.8
Severity: warning
Precision: medium
Tags:
   - security
   - external/cwe/cwe-522
   - external/cwe/cwe-319
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Basic authentication only obfuscates usernames and passwords in Base64 encoding, which can be easily recognized and reversed, thus it must not be transmitted over the cleartext HTTP channel. Transmitting sensitive information without using HTTPS makes the data vulnerable to packet sniffing.

Recommendation

Either use a more secure authentication mechanism like digest authentication or federated authentication, or use the HTTPS communication protocol.

Example

The following example shows two ways of using basic authentication. In the ‘BAD’ case, the credentials are transmitted over HTTP. In the ‘GOOD’ case, the credentials are transmitted over HTTPS.

public class InsecureBasicAuth {
  /**
   * Test basic authentication with Apache HTTP request.
   */
  public void testApacheHttpRequest(String username, String password) {

    // BAD: basic authentication over HTTP
    String url = "http://www.example.com/rest/getuser.do?uid=abcdx";

    // GOOD: basic authentication over HTTPS
    url = "https://www.example.com/rest/getuser.do?uid=abcdx";

    HttpPost post = new HttpPost(url);
    post.setHeader("Accept", "application/json");
    post.setHeader("Content-type", "application/json");

    String authString = username + ":" + password;
    byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
    String authStringEnc = new String(authEncBytes);

    post.addHeader("Authorization", "Basic " + authStringEnc);
  }

  /**
   * Test basic authentication with Java HTTP URL connection.
   */
  public void testHttpUrlConnection(String username, String password) {

    // BAD: basic authentication over HTTP
    String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx";

    // GOOD: basic authentication over HTTPS
    urlStr = "https://www.example.com/rest/getuser.do?uid=abcdx";

    String authString = username + ":" + password;
    String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
    URL url = new URL(urlStr);
    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
    conn.setRequestMethod("POST");
    conn.setDoOutput(true);
    conn.setRequestProperty("Authorization", "Basic " + encoding);
  }
}

References

• SonarSource rule: Basic authentication should not be used.

• Acunetix: WEB VULNERABILITIES INDEX - Basic authentication over HTTP.

• Common Weakness Enumeration: CWE-522.

• Common Weakness Enumeration: CWE-319.

• © GitHub, Inc.
• Terms
• Privacy