Web Page Uses Cleartext HTTP Basic Authentication (Port 80)
Poor authentication practices may leave the web application vulnerable to authentication attacks.
Some web applications perform authentication by requiring a user to enter a login and password into an HTML form. This
type of authentication is achieved using the HTML INPUT element with the type attribute set to password.
There are several potential vulnerabilities associated with HTML form-based authentication:
Authentication Credentials Prefilled. The password field is prefilled with a default value, possibly allowing universal access to the application being authenticated. Clear-text Form-based Authentication. The password is sent over the network
unencrypted when a user submits the login form, thereby allowing an attacker who is capable of sniffing the network to view the password.
Clear-text HTTP Basic Authentication The password is sent over the network unencrypted when a user authenticates to a protected web directory, thereby allowing an attacker who is capable of sniffing the network to view the password. Autocomplete Enabled.
The form allows the browser's auto complete feature to automatically fill the password field with previously submitted values when a user begins entering a password. This feature could reveal one user's password to another user on the same computer.
Additional information on the INPUT element is in the HTML 4.01 Specification, [http://www.w3.org/TR/1999/REC-html40...s.html#h-17.4]
For more information on HTTPS, see [http://searchsoftwarequality.techtar...14006,00.html]
For more information on the autocomplete feature in HTML, see
HTML Code Tutorial.
To use HTML form-based authentication more securely in web applications, do the following:
Remove the value attribute from the INPUT tag corresponding to the password field. Submit all forms to an SSL-enabled
(https) service using the form's action attribute.
Place all protected web directories on an SSL-enabled (https) service. Use the autocomplete="off" attribute in the INPUT tag corresponding to the password field.