Web Server Uses Basic Authentication without HTTPS

You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nikto and Nessus will report this issue during your scanning phase.

Intercepting Web Proxy Output:


Pop up in your browser:


Nikto output

Indication of login

+ / - Requires Authentication for realm

Nessus Output

Web Server Uses Basic Authentication Without HTTPS
Plugin ID: 34850


The remote web server contains web pages that are protected by ‘Basic’ authentication over cleartext.
An attacker eavesdropping the traffic might obtain logins and passwords of valid users.


Make sure that HTTP authentication is transmitted over HTTPS.


Include the following information in the final report:

  • Name of the Website or WebApplication
  • A sample request and reponse