Description
Risk/Issue summary finding
Basic Authentication in Use
Risk/Issue summary description/detail
The only authentication method used by Spark web portals is basic HTTP authentication. In basic HTTP authentication, passwords are encoded using the Base64 encoding scheme, before being transmitted over the network. Note that the web services communications were over HTTPS and as such the communications between supplicant and service would be encrypted, reducing the risk of this issue.
Business impact / attack scenario
An attacker given a reasonable time frame may be able to successfully perform a brute-force attack on the credentials, and successfully authenticate to the web service. The time frame for such an attack would also be significantly reduced if common username and passwords are used, such as "Administrator" and "password". Additionally, basic authentication credentials are sent with every request and may be cached by the web browser.
Recommendation
By itself, basic authentication is not considered secure. Other, more secure, authentication methods are offered by web servers and application frameworks and should be considered.