DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Java

Java

Made by DeepSource
Use Analyzer

Basic authorization is a security risk JAVA-S1019

Security
Major
 a02 cwe-287 cwe-522 sans top 25 owasp top 10

Basic authorization only encodes the user name and password in base-64 before sending it to the server, which is just a step above sending the data as plain-text.

Bad Practice

import org.apache.http.client.methods.HttpPost;

// ...

// Using HttpPost from Apache HttpClient
// Apache provides a Base64 encoder class for convenience.
String encoding = Base64Encoder.encode ("login:passwd");
HttpPost post = new HttpPost(url);
post.setHeader("Authorization", "Basic " + encoding);

// or

import java.net.HttpUrlConnection;

// ...

// Using HttpURLConnection
String encoding = Base64.getEncoder().encodeToString(("login:passwd").getBytes("UTF-8"));
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setRequestProperty("Authorization", "Basic " + encoding);

Recommended

Do not use basic authorization to authenticate users. While it may take more effort to securely send authentication data to the server, it will be beneficial in the long run.

If it is not possible to move away from it, ensure that any such authentication is done only over HTTPS.

References