Insecure Authentication

ID

java.insecure_authentication

Severity

high

Resource

Information Leak

Language

Java

Tags

CWE:319, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.5.4, PCI-DSS:6.5.6

Description

Insecure authentication occurs when authentication credentials, such as passwords, are transmitted over an insecure channel, such as HTTP, making them vulnerable to interception.

Rationale

Insecure authentication is a significant vulnerability that arises when sensitive information, like passwords or tokens, is transmitted without proper encryption. This usually happens over unsecured communication channels, like HTTP, where attackers can easily intercept and capture these credentials.

Here’s a Java example illustrating insecure authentication:

import okhttp3.*;
import java.io.IOException;

public class AuthRequest {

  public void authRequestOkHttp(String user, String password) {
    OkHttpClient client = new OkHttpClient();

    String url = "http://yourapi.com/auth";
    String json = "{\"username\": \"" + user + "\", \"password\": \"" + password + "\"}";

    RequestBody requestBody = RequestBody.create(
        json, MediaType.parse("application/json; charset=utf-8")
    );

    Request request = new Request.Builder() // FLAW
        .url(url)
        .post(requestBody)
        .build();

    client.newCall(request).enqueue(new Callback() {
      @Override
      public void onFailure(Call call, IOException e) {
        e.printStackTrace();
      }

      @Override
      public void onResponse(Call call, Response response) throws IOException {
        try (Response res = response) {
          if (!res.isSuccessful()) {
            System.out.println("Failed: " + res.code());
          } else {
            System.out.println("Response: " + res.body().string());
          }
        }
      }
    });
  }
}

Remediation

To remediate this vulnerability, ensure that all sensitive information is transmitted over secure channels such as HTTPS. This ensures that the data is encrypted in transit.

Here’s the corrected version of the previous example:

import okhttp3.*;
import java.io.IOException;

public class AuthRequest {

  public void authRequestOkHttp(String user, String password) {
    OkHttpClient client = new OkHttpClient();

    String url = "https://yourapi.com/auth";
    String json = "{\"username\": \"" + user + "\", \"password\": \"" + password + "\"}";

    RequestBody requestBody = RequestBody.create(
        json, MediaType.parse("application/json; charset=utf-8")
    );

    Request request = new Request.Builder()
        .url(url)
        .post(requestBody)
        .build();

    client.newCall(request).enqueue(new Callback() {
      @Override
      public void onFailure(Call call, IOException e) {
        e.printStackTrace();
      }

      @Override
      public void onResponse(Call call, Response response) throws IOException {
        try (Response res = response) {
          if (!res.isSuccessful()) {
            System.out.println("Failed: " + res.code());
          } else {
            System.out.println("Response: " + res.body().string());
          }
        }
      }
    });
  }
}

Additionally, consider implementing further security measures such as multi-factor authentication and using secure password storage mechanisms like bcrypt for hash-based password handling.

References

  • CWE-319 : Cleartext Transmission of Sensitive Information.