不安全的 basic 身份验证¶
ID: java/insecure-basic-auth
Kind: path-problem
Security severity: 8.8
Severity: warning
Precision: medium
Tags:
- security
- external/cwe/cwe-522
- external/cwe/cwe-319
Query suites:
- java-security-extended.qls
- java-security-and-quality.qls
基本身份验证仅会对用户名和密码进行 Base64 编码混淆,这很容易被识别和逆转,因此不得通过明文 HTTP 通道传输。在不使用 HTTPS 的情况下传输敏感信息会使数据容易受到数据包嗅探的影响。
建议¶
使用摘要身份验证或联合身份验证等更安全的身份验证机制,或使用 HTTPS 通信协议。
示例¶
以下示例展示了两种使用基本身份验证的方法。在“BAD”情况下,凭据通过 HTTP 传输。在“GOOD”情况下,凭据通过 HTTPS 传输。
public class InsecureBasicAuth {
/**
* Test basic authentication with Apache HTTP request.
*/
public void testApacheHttpRequest(String username, String password) {
// BAD: basic authentication over HTTP
String url = "http://www.example.com/rest/getuser.do?uid=abcdx";
// GOOD: basic authentication over HTTPS
url = "https://www.example.com/rest/getuser.do?uid=abcdx";
HttpPost post = new HttpPost(url);
post.setHeader("Accept", "application/json");
post.setHeader("Content-type", "application/json");
String authString = username + ":" + password;
byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
String authStringEnc = new String(authEncBytes);
post.addHeader("Authorization", "Basic " + authStringEnc);
}
/**
* Test basic authentication with Java HTTP URL connection.
*/
public void testHttpUrlConnection(String username, String password) {
// BAD: basic authentication over HTTP
String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
// GOOD: basic authentication over HTTPS
urlStr = "https://www.example.com/rest/getuser.do?uid=abcdx";
String authString = username + ":" + password;
String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
URL url = new URL(urlStr);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setRequestProperty("Authorization", "Basic " + encoding);
}
}
参考¶
SonarSource 规则:不应使用基本身份验证。
Acunetix:WEB 漏洞索引 - 通过 HTTP 进行基本身份验证。
常见弱点枚举:CWE-522。
常见弱点枚举:CWE-319。