INSECURE AUTH PROTOCOL

Feature Value
Type Detection
Risk OWASP A6
Covered by Agent

The application uses an authentication protocol that is not considered secure. The protocol referred to as "HTTP/1.0" includes the specification for a Basic Access Authentication scheme. That scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form.

There are a few issues with HTTP Basic Auth:

The Digest Access Authentication scheme is not intended to be a complete answer to the need for security in the World Wide Web. This scheme provides no encryption of message content. The intent is simply to create an access authentication method that avoids the most serious flaws of Basic authentication.

Digest access authentication is intended as a security trade-off. It is intended to replace unencrypted HTTP basic access authentication. It is not, however, intended to replace strong authentication protocols, such as public-key or Kerberos authentication.

In terms of security, there are several drawbacks with digest access authentication:

Also, since the MD5 algorithm is not allowed in FIPS, HTTP Digest authentication will not work with FIPS-certified[note 1] crypto modules.

More information

How to solve it

Some strong authentication protocols for web-based applications include: