Findings

Plaintext negotiated authentication

Updated: June 19, 2025

findings design based findings api finding

Description

Severity: Critical

An endpoint is negotiating authentication over HTTP.

This exposes the authentication credentials in plaintext on the network and can lead to attackers finding and using the credentials to make unauthorized API calls.

This rule applies at the API Specification level (OAS/Swagger).

Example Attack

Vulnerability to Eavesdropping: Since HTTP transmits data in plaintext, any information exchanged during the authentication process, including usernames, passwords, or tokens, can be intercepted by malicious actors monitoring network traffic. This vulnerability allows attackers to potentially steal authentication credentials and impersonate legitimate users.

Remediation

Change the transport protocol to HTTPS. This will ensure that all data in the request including authentication credentials are encrypted in transit.

Security Frameworks

OWASP API 2023

API8:2023 Security Misconfiguration

APIs and the systems supporting them typically contain complex configurations, meant to make the APIs more customizable. Software and DevOps engineers can miss these configurations, or don't follow security best practices when it comes to configuration, opening the door for different types of attacks.

OWASP API 2019

API7:2019 Security Misconfiguration

Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.

MITRE ATT&CK Enterprise v15

TA0001: Initial Access

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

T1078: Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

TA0006: Credential Access

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

T1078: Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

T1110: Brute Force

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

T1557: Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.

TA0009: Collection

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

T1557: Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.

MITRE CWE Top 25

CWE-287: Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CIS API Security Guide

CIS-ASG-2.1.6: CIS 2.1.6: Implement Cryptographic Techniques to Secure User Credentials and Authentication Tokens

Specify protocols to secure user data transmission and storage with cryptographic protocols.

Rationale

Implementing cryptographic techniques to secure user credentials and authentication tokens helps mitigate risks and prevent unauthorized access. Encrypting passwords and tokens helps keep sensitive data secure and complies with regulations such as GDPR. This renders data unreadable to unauthorized parties, protecting user credentials and authentication tokens from potential breaches and ensuring compliance with data protection laws and industry standards.

Remediation
  • Select password hashing methods.
  • Chose encrypted token storage and secure method of generation.
  • Use TLS/SSL.
  • Enhance key management practices and policies.
  • Apply monitoring practices.
  • Document all changes made.
Audit
  • Review existing relevant policies.
  • Assess if existing procedures are compliant with regulations.
  • Assess password hashing methods.
  • Assess token storage and method of generation.
  • Assess TLS/SSL versions.
  • Assess key management practices and policies.
  • Assess monitoring practices.

CIS-ASG-2.2.2: CIS 2.2.2: Enforce TLS/SSL protocols

Enforce TLS and SSL protocols.

Rationale

Enforcing TLS/SSL protocols ensures data transfer encryption, safeguarding against interception and eavesdropping by malicious actors. By preventing Man-in-the-Middle (MITM) attacks, TLS/SSL maintains data confidentiality and integrity during transmission. It also protects the authentication procedure from unauthorized access, meeting compliance requirements and ensuring secure communication channels between clients and servers.

Remediation
  • Update the configuration settings.
  • Renew all certificates.
  • Implement HTTPS redirection from port 80 (HTTP) to port 443 (HTTPS) and implement HSTS to enforce HTTPS.
  • Address any vulnerabilities introduced by old and current HTTPS versions.
  • Enforce monitoring and alerting.
  • Update the documentation.
Audit
  • Review the current configuration settings.
  • Review certificates to ensure they are current, properly configured, and secure, preventing potential vulnerabilities.
  • Review HTTPS implementation and versions.
  • Review any non-compliant connections.
  • Review policies and compliance requirements.

CIS-ASG-3.1.3: CIS 3.1.3: Ensure the use of SSL/TLS

Verify the use of SSL/TLS for all API endpoints and versions.

Rationale

Ensuring the use of SSL/TLS is important because it keeps data transfer and communication encrypted, protecting sensitive information from being intercepted. It also mitigates Man-in-the-Middle (MiTM) vulnerabilities, enhancing security. Additionally, using SSL/TLS helps comply with regulations that mandate secure data transmission.

Remediation
  • Enforce SSL/TLS encryption for all API communications.
  • Regularly review configurations and certificates for expiration dates and assess if they are compromised.
  • Update versions when necessary.
  • Monitor configurations.
Audit
  • Review SSL/TLS enforcement for all endpoints.
  • Evaluate SSL/TLS versions.
  • Review certification expiration dates and assess if they are compromised.

Need help?

Contact FireTail support

Previous (Findings - Design based findings)
Plaintext Digest Authentication
Next (Findings - Design based findings)
Plaintext unknown authentication