Basic Authentication Credentials

ID

basicauth

Severity

high

Vendor

-

Family

Password

Description

Network resources often are specified by URL. Many protocols requiring basic (password) authentication allow encoding the credentials (username and password) in the URL.

For example, the following URL https://user:pass@host:port/path encodes basic authentication credentials. The client using this URL will send an HTTP message with basic authentication header. Such user:pass pair represent an obvious hardcoded secret.

See RFC 3986 (URI generic syntax), section 3.2.

Security

Any hardcoded basic authentication credential in an URL is a potential secret reported by this detector.

Please note that there are exceptions for this detector, because credentials to many test services needed during development should be ignored. The properties ignore.hosts, ignore.users and ignore.passwords could be configured for such exceptions.

Examples

admin_url = "https://admin:K3XzyZJGQCr00@example.com/"

Mitigation / Fix

  1. Remove the hardcoded credentials from the URL in source code or committed configuration file. Use another technique for basic authentication, avoiding the need to hard-code the credentials in the URL.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).

  3. Check access logs in the system serving the URL, to ensure that the secret was not used by unintended actors during the compromised period.