H3-2022-0075
Public-Facing Application Exposed with HTTP Basic Authentication
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 3.0 |
Description
An application utilizing HTTP basic authentication is accessible via the Internet. Credentials sent using basic authentication are sent in HTTP headers and may be cached in web browsers. Cached credentials may be abused for CSRF attacks. Additionally, basic authentication credentials are sent unencrypted in each HTTP request, increasing the risks of interception and credential reuse. Basic authentication applications also do not provide protections against brute force attacks.
Impact
Basic authentication credentials are subject to CSRF attacks, interception, brute force, and credential reuse. Attackers may abuse basic authentication to steal a user's credential and/or gain unauthorized access to an application.