Plaintext unknown authentication

firetail:plaintext-unknown-authentication

Type:

Finding

Rule Severity:

Critical

An endpoint is using an authentication mechanism that is not in the IANA Authentication Scheme Registry over HTTP.

This exposes the authentication credentials in plaintext on the network and can lead to attackers finding and using the credentials to make unauthorized API calls.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

Change the transport protocol to HTTPS. This will ensure that all data in the request including authentication credentials are encrypted in transit.

Example Attack Scenario

Man-in-the-Middle (MitM) Attacks: Attackers positioned between the client and server can modify or capture plaintext credentials exchanged during authentication, compromising security.

How to Identify with Example Scenario

type: 
openapi: 3.0.0
info:
  title: Example API
  version: 1.0.0
paths:
  /login:
    post:
      summary: Endpoint to authenticate a user
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              properties:
                username:
                  type: string
                password:
                  type: string
              required:
                - username
                - password
      responses:
        '200':
          description: Successful authentication
          content:
            application/json:
              schema:
                type: object
                properties:
                  token:
                    type: string
        '401':
          description: Unauthorized

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
SQL Injection found in logs
Slack secrets found in logs
AppSync GraphQL API Authentication using API keys
GraphQL server error
AWS ALB has insecure desync mitigation mode
XSS attempt found in logs