Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2647

Basic authentication should not be used

    Details

    • Message:
      Use a more secure method than basic authentication.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#, XML
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      2h
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-522, CWE-311
    • OWASP:
      A6
    • SANS Top 25:
      Porous Defenses

      Description

      Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.

      Noncompliant Code Example

      // Using HttpPost from Apache HttpClient
      String encoding = Base64Encoder.encode ("login:passwd");
      org.apache.http.client.methods.HttpPost httppost = new HttpPost(url);
      httppost.setHeader("Authorization", "Basic " + encoding);  // Noncompliant
      
      or 
      
      // Using HttpURLConnection
      String encoding = Base64.getEncoder().encodeToString(("login:passwd").getBytes(‌"UTF‌​-8"​));
      HttpURLConnection conn = (HttpURLConnection) url.openConnection();
      conn.setRequestMethod("POST");
      conn.setDoOutput(true);
      conn.setRequestProperty("Authorization", "Basic " + encoding); // Noncompliant
      

      See

        Attachments

          Issue Links

          1.
          XML RSPEC-5238 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: