home / blog

HTTP Basic authentication

A lot of people know that “basic” authentication for websites is secure, but how insecure? How difficult is it to intercept? Adam investigates…

Background first. Here is an apache setup of basic authentication to go into a .htaccess file.

AuthName "Unauthorised use strictly forbidden."
AuthType Basic
AuthUserFile /home/horse/.htpasswd
AuthGroupFile /dev/null
require user horse

Setting up the password file.

htpasswd -c ~/.htpasswd horse
New password: 
Re-type new password: 
Adding password for user horse

The “TCP dump” tool outputs packets to stdout, we filter out strings and then the HTTP response from clients to servers. It must be run as root as requires raw access to the network device. wlan0 is my wireless card.

sudo tcpdump -i wlan0 -w - | strings | grep -i "Authorization: Basic"
Authorization: Basic aG9yc2U6cGFzc3dvcmQxMjMK==
230 packets captured
230 packets received by filter

The username password is contained in the string aG9yc2U6cGFzc3dvcmQxMjMK which is simply a base64 encoding of username:password. Running base64 -d decodes the credentials as username of horse and password of password123.

echo aG9yc2U6cGFzc3dvcmQxMjMK | base64 -d
horse:password123

Note you could use a higher level tool such as wireshark instead of tcpdump.

So what can we do? Well a very easy step in the right direction is to use digest based authentication. This uses a MD5 hash instead of the password in the clear.

Here is an example setup for a local .htaccess file.

AuthType Digest
AuthName "Unauthorised use strictly forbidden"
#AuthUserFile /home/horse/.digest_pw
AuthDigestFile /home/horse/.digest_pw
AuthDigestDomain http://www.example.com/private/
Require user horse
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

Note: Depending on your apache version you may need to change AuthUserFile to AuthDigestFile.

Setting up the digest file.

htdigest -c  ~/.digest_pw "Unauthorised use strictly forbidden" horse
New password: 
Re-type new password: 
This entry was posted in geek and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published.