Web Server Basic Authentication = Weak

I’d like to point out that I knew Basic Authentication in web servers were not bullet proof but in fact the total opposite (pointed out in the energy@home documents). This was hammered home when I was inspired to do some optimizations on the energy@home project but I was very interested in the initial load and AJAX requests by the Google I/O 2011: Using GWT and Eclipse to Build Great Mobile Web Apps. During that process I noticed the GET request headers include an “Authorization” field with what looked like a base64 string. Low and behold entering the text into a base64 decoder and out came my username and password.

Whilst I saw this running Firebug on my local machine, it makes it very easy for a man in the middle or a sniffer to capture the packet and easily get the header and therefore decode and see the username and password.

In the mean time I have implemented HTTPS on my own installation but this does not help the majority using the software. This does not solve the problem but it does elevate the security to (try) and hinder the sniffers and firesheep like attacks.

Base 64 Decoder
Firebug FireFox Addon

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in energy@home, Security, Web Server, Website and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.