Security Vulnerability: Web Server Uses Plain-Text Form Based Authentication

security
21,892

Solution 1

Basically is saying that you are transmitting data over an unencrypted port such as port 80. DIsable port 80 and enable on port 443 and should fix your problem.

Solution 2

This means that the Web server allows POST requests via port HTTP/80 (plain-text form based authentication).

Even if your website redirects you to HTTPS, it does not matter, as someone can force the request to HTTP.

For example, someone could save the website locally and submit the forms unencrypted if the website is misconfigured by allowing plain-text POST requests. Or an attacker can create a fake website (clone it, so it looks the same) and redirect login forms via HTTP/80 to the original website, so the user won't notice. Then he may be able to obtain login credentials for other users by sniffing the network traffic.

Here is the example of the regular redirection response:

% curl -I http://example.com/
HTTP/1.1 301 Moved Permanently

Here is the example with POST request:

% curl -X POST -I http://example.com/

or:

curl -d'foo=bar' http://example.com/login

If your website responds with HTTP/1.1 200 OK or similar, then it is recommended to disallow all requests except GET and HEAD on port 80.

Share:
21,892
Author by

learningTym

Updated on June 25, 2020

Comments

  • learningTym over 2 years

    I have a server on which apache tomcat 6.0.16 is installed and there are no web applications running.

    But I have a axis2.war which is hosting few web services. Now after performing a Qualsys Security vulnerability check it gave me the following result:

    Service name: Web server Vulnerability description: Web Server Uses Plain-Text Form Based Authentication Severity (scale of 1-5, 5 is highest): 3

    I have searched for this error and what I gather is that this error happens for websites which requests web pages from a web server and the form of authentication used is plain text based. But my doubt is we do not have any web apps on the server running so which authentication it is asking for? Or if it is related to axis2.war?

    Any suggestions would be of great help.

Recents

Flutter: Animation - How to make an animated list?
Can we set a SpanText tappable in flutter?
Flutter 'Packages get' failed after adding firebase dependency
Unknown type on deserialization. Need either specifiedType or discriminator field
Flutter: I want to apply font on runtime to whole app Text
How do you make local storage persist after the app has been closed in Flutter?
Global snackbar/dialog utils class in flutter
Discord.py - Count how many servers the bot is in
flutter nfc plugin only scans once
Flutter: How to keep gesture events state after opening a simple dialog
Flutter SocketException problem with large images on ios
dart : check if a directory exist

Related

Flutter - How to hide or change widget as seen in Recent Apps overview
flutter: FadeInImage.assetNetwork: how to add request header like access token
How to SECURE my FLUTTER Mobile Application? (Flutter App Penetration Testing Result)
Is the PathProvider documents directory a secure location?
php not redirecting and logging in
Which free VPN providers support Ubuntu?
How to run specific program with root privileges (Ubuntu OS) when no sudo user log into system?
MIME Type spoofing
Spring security authrorize based on input parameter criteria
How do I integrate HSM encryption with JAVA?