Insecure Authentication

ID

python.insecure_authentication

Severity

high

Resource

Information Leak

Language

Python

Tags

CWE:319, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.5.4, PCI-DSS:6.5.6

Description

Insecure authentication occurs when authentication credentials, such as passwords, are transmitted over an insecure channel, such as HTTP, making them vulnerable to interception.

Rationale

Insecure authentication is a significant vulnerability that arises when sensitive information, like passwords or tokens, is transmitted without proper encryption. This usually happens over unsecured communication channels, like HTTP, where attackers can easily intercept and capture these credentials.

Here’s a Python example illustrating insecure authentication:

import requests

# Insecure HTTP request for login
response = requests.post('http://example.com/login', data={'username': 'user', 'password': 'pass'}) # FLAW

Remediation

To remediate this vulnerability, ensure that all sensitive information is transmitted over secure channels such as HTTPS. This ensures that the data is encrypted in transit.

Here’s the corrected version of the previous example:

import requests

# Secure HTTPS request for login
response = requests.post('https://example.com/login', data={'username': 'user', 'password': 'pass'})

Additionally, consider implementing further security measures such as multi-factor authentication and using secure password storage mechanisms like bcrypt for hash-based password handling.

References

  • CWE-319 : Cleartext Transmission of Sensitive Information.