HTTP Basic Authentication

Mechanism to authenticate access to resources over HTTP.

HTTP Basic authentication is not considered secure unless used with TLS/HTTPS. When used on HTTP, anyone can eavesdrop and decode the credentials.

Authentication

The client tries to access a protected URL. The server checks if the request has the Authorization HTTP header with a valid username and password. Credentials are sent in the request headers and encoded in base 64.

Example with credentials admin:admin – encoded in base64

GET / HTTP/1.1
Host: example.com
Authorization: Basic YWRtaW46YWRtaW4=
[...]

Use Burp Suite’s extension Hackvertor.

GET / HTTP/1.1
Host: example.com
Authorization: Basic <@base64>admin:admin<@/base64>
[...]

If the credentials are valid

The server responds with HTTP 200 OK.

If the credentials are invalid

The server responds with HTTP 401 Unauthorized and the www-authenticate HTTP header. The realm is freeform text and could be anything. The server is responsible for defining realms and do the authentication.

HTTP/1.1 401 Unauthorized
Date: ...
www-Authenticate: Basic realm="MyApp"

The realm or protection space is a group of pages where the same credentials are used. Browsers can cache the valid credentials for a given realm and use them in the future.

The browser notices the www-authenticate HTTP header in the server response and prompts for the credentials.

The user submits the credentials. The browser encodes them using base64 and sends them in the next request. The authentication cycle continues.

Bruteforce HTTP Basic Auth

Nmap scripts

Bruteforce (HTTP basic auth)

sudo nmap -p 80 --script http-brute $IP --script-args http-brute.hostname=example.com,http-brute.path=/,userdb=users.txt,passdb=passwords.txt,http-brute.method=POST