http-basic-auth – Page 2 – WindowsTechs.com

HTTP Basic Auth question

Posted on September 24, 2020 by jpj

I am using HTTP Basic Auth to authenticate the user.
Once authenticated, I set req.session.loggedIn = true.
If a user makes requests after being logged in, for security purposes, should I just check the session loggedIn value or send the b… Continue reading HTTP Basic Auth question→

Should http basic auth passwords be stored hashed serverside?

Posted on September 10, 2020 by Prime

HTTP basic auth sends credentials un-hashed and unencrypted over the wire, relying on TLS for confidentiality in transit. However, should the password be stored hashed using a standard KDF in the backend for comparison on receipt?

Continue reading Should http basic auth passwords be stored hashed serverside?→

IIS CMS access web service

Posted on July 9, 2020 by Jefferson

We are creating a new web site and it’s using a CMS that will connect to a internal web service that will connect to a sql database. The cms will be in the DMZ and the web service will be in the protection network with the database. My que… Continue reading IIS CMS access web service→

HTTP Basic Auth and CSRF

Posted on July 7, 2020 by Lucas Basquerotto

I would like to know if the Basic Authentication header for site A can be sent from site B when trying to access site A for non-GET requests (which would make the site vulnerable to CSRF attacks).
I tried to call a site on localhost from a… Continue reading HTTP Basic Auth and CSRF→

Can sqlmap test for SQL injection in Basic Authentication?

Posted on April 10, 2020 by chefarov

I have been trying to make sqlmap test the username parameter in a fake login page that uses basic authentication. However I cannot make it test the Authentication header via the asterisk trick:
sqlmap –auth-type "BASIC" –auth-… Continue reading Can sqlmap test for SQL injection in Basic Authentication?→

Basic Auth exposed to ISP/DNS?

Posted on February 4, 2020 by WorseDoughnut

Would someone using basic authentication in a URL such as

https://username:password@example.com

have their credentials be visible to their ISP or DNS?

Continue reading Basic Auth exposed to ISP/DNS?→

What are the security risks of basic authorization in SOAP requests?

Posted on November 27, 2019 by user187205

What are the security risks of basic authorization in SOAP requests?
I know that the username and password are concatenated and sent in Base64 in an HTTP header on every subsequent request, but it is still popular in SOAP WS.

Continue reading What are the security risks of basic authorization in SOAP requests?→

Is there a way to add an HTTP header before using a metasploit module

Posted on November 12, 2019 by Soufiane Tahiri

I’m quite confused and I didnt find a way to figure how to add a custom header or for exemple an Authentication Header before using/running a module on metasploit.

My question is: there is a way to authenticate “the module” … Continue reading Is there a way to add an HTTP header before using a metasploit module→

HTTP Basic Authentication vs. obscure filename

Posted on October 13, 2019 by Alastair McCormack

I’m setting up a service which allows a single 3rd party to access a file over HTTPS. The only security mechanism the 3rd party supports is Basic Authentication.

To reduce complexity, I was going to host the file on S3. Howe… Continue reading HTTP Basic Authentication vs. obscure filename→

What is the difference between using an auth header and the request body to send credentials?

Posted on October 3, 2019 by GendoIkari

I have an API that uses JWT token-based authentication. In order to get a short-lived token, the client first calls a /Token endpoint, passing username and password in the body of the request. As I understand it, this is a st… Continue reading What is the difference between using an auth header and the request body to send credentials?→