CRITICAL arp spoofingbasic auth

Arp Spoofing with Basic Auth

Scan your API now

How ARP Spoofing Manifests in Basic Auth

ARP spoofing is a layer-2 network attack where an attacker poisons the ARP cache of devices on a local network, intercepting traffic intended for another host. When an API uses HTTP Basic Authentication without TLS, credentials are transmitted as a Base64-encoded string in the Authorization header. This creates a two-fold vulnerability:

  • Credential Interception: An attacker performing ARP spoofing can capture the Basic Auth header from unencrypted HTTP traffic. Base64 is trivial to decode, revealing the username:password pair.
  • Session Replay: Because Basic Auth is stateless and often lacks robust session management, stolen credentials can be reused until changed or revoked.

The attack requires the attacker to be on the same broadcast domain (e.g., compromised Wi-Fi, internal network). The API's use of Basic Auth over HTTP is the enabling condition. For example, a vulnerable request looks like:

GET /api/users/123 HTTP/1.1
Host: vulnerable-api.com
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

An attacker using arpspoof or similar tools can redirect this traffic through their machine, extract the header, and decode it with echo dXNlcm5hbWU6cGFzc3dvcmQ= | base64 -d.

Even with TLS, if the client does not properly validate certificates (common in mobile apps or custom scripts), an attacker could perform a TLS-stripping or SSL-proxy attack combined with ARP spoofing to downgrade the connection and intercept credentials. This aligns with OWASP API Top 10 A2: Broken Authentication and A5: Broken Access Control when weak credentials are reused across systems.

Basic Auth-Specific Detection

Detecting this issue requires identifying two conditions: (1) the API uses Basic Authentication, and (2) it does so over an unencrypted channel. middleBrick's scanning engine checks for the presence of a WWW-Authenticate: Basic header in HTTP responses and verifies the transport protocol. A scan returns a critical finding if Basic Auth is offered on an HTTP endpoint.

Example scan output snippet from middleBrick:

{
  "finding": "Basic Authentication over HTTP",
  "severity": "critical",
  "endpoint": "http://api.example.com/users",
  "evidence": "WWW-Authenticate: Basic realm=\"api\""
}

The scanner also evaluates TLS configuration when HTTPS is used, but the primary risk is the absence of encryption. middleBrick's 12 parallel checks include Encryption and Data Exposure categories that capture this pattern. The risk score drops significantly if Basic Auth is enforced without TLS, often resulting in an F grade for the affected endpoint.

Manual detection involves:

  • Using curl -I http://target-api.com/endpoint to inspect response headers for WWW-Authenticate: Basic.
  • Checking for Strict-Transport-Security headers to enforce HTTPS.
  • Reviewing server configurations for TLS 1.2+ and strong cipher suites.

However, manual checks are error-prone and scale poorly. middleBrick automates this across all discovered endpoints, providing a per-category breakdown and prioritized remediation guidance. The CLI tool (middlebrick scan <url>) or GitHub Action can integrate this check into CI/CD pipelines, failing builds if Basic Auth over HTTP is detected.

Basic Auth-Specific Remediation

Remediation focuses on eliminating the use of Basic Auth over HTTP and, ideally, migrating to stronger authentication mechanisms. If Basic Auth must be retained, enforce TLS rigorously. Below are code-specific fixes for common frameworks.

1. Enforce HTTPS and HSTS

In Node.js/Express, use the helmet middleware to set security headers and redirect HTTP to HTTPS:

const express = require('express');
const helmet = require('helmet');
const app = express();

// Enforce HTTPS
app.enable('trust proxy'); // if behind a reverse proxy
app.use((req, res, next) => {
  if (req.headers['x-forwarded-proto'] !== 'https') {
    return res.redirect(`https://${req.hostname}${req.url}`);
  }
  next();
});

// Set HSTS header
app.use(helmet.hsts({ maxAge: 31536000, includeSubDomains: true }));

// Basic Auth middleware (only over HTTPS)
function basicAuth(req, username, password) {
  const auth = req.headers['authorization'];
  if (!auth) return false;
  const [scheme, credentials] = auth.split(' ');
  if (scheme !== 'Basic') return false;
  const decoded = Buffer.from(credentials, 'base64').toString('utf8');
  const [user, pass] = decoded.split(':');
  return user === username && pass === password;
}

app.get('/api/data', (req, res) => {
  if (!basicAuth(req, 'admin', 'securePassword123')) {
    res.set('WWW-Authenticate', 'Basic realm="API"');
    return res.status(401).send('Authentication required');
  }
  res.json({ data: 'sensitive' });
});

2. Spring Boot (Java)

Configure Spring Security to require HTTPS and disable Basic Auth over HTTP:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .requiresChannel()
                .anyRequest()
                .requiresSecure() // Enforce HTTPS
            .and()
            .httpBasic()
                .and()
            .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Bean
    public WebSecurityCustomizer webSecurityCustomizer() {
        return (web) -> web.ignoring().antMatchers("/public/**");
    }
}

Additionally, set HSTS in application.properties:

server.servlet.session.cookie.secure=true
server.ssl.enabled=true
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=changeit
server.ssl.key-store-type=PKCS12

3. ASP.NET Core

Use RequireHttpsAttribute and configure Kestrel for TLS:

public void ConfigureServices(IServiceCollection services)
{
    services.AddControllers();
    services.AddAuthentication("BasicAuthentication")
        .AddScheme<AuthenticationSchemeOptions, BasicAuthenticationHandler>(
            "BasicAuthentication", null);
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UseHttpsRedirection();
    app.UseHsts(); // Adds Strict-Transport-Security header
    app.UseAuthentication();
    app.UseAuthorization();
    app.UseEndpoints(endpoints => { endpoints.MapControllers(); });
}

4. Migration Guidance

While these fixes secure the transport layer, Basic Auth remains fundamentally weak due to credential reuse and lack of logout. middleBrick's remediation guidance recommends migrating to token-based schemes like OAuth 2.0 or API keys with short-lived JWTs. For example, replace Basic Auth with a bearer token:

// Instead of Basic Auth header:
// Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

// Use:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

middleBrick's reports map such findings to OWASP API Top 10 A2: Broken Authentication and provide framework-specific code snippets. The Pro plan's continuous monitoring ensures that any accidental reversion to HTTP Basic Auth in future deployments triggers alerts via Slack or GitHub Action checks.

Scan your API now Free API security scan

Frequently Asked Questions

Can ARP spoofing itself be detected by scanning an API endpoint?
No. ARP spoofing is a network-layer attack that occurs outside the API's runtime environment. middleBrick scans the API's observable behavior (e.g., use of Basic Auth over HTTP) to identify configurations that enable such attacks. It cannot monitor local network ARP tables or detect active poisoning.
Is Basic Auth secure if used exclusively over HTTPS?
HTTPS encrypts the Basic Auth header in transit, preventing network eavesdropping like ARP spoofing. However, Basic Auth still lacks features like logout, token revocation, and is vulnerable to credential stuffing. OWASP recommends stronger mechanisms (e.g., OAuth 2.0). middleBrick scores APIs lower if Basic Auth is used, even with TLS, due to these inherent weaknesses.

Related Pages

Arp Spoofing in APIsLearn how ARP spoofing enables API man-in-the-middle attacks, how to detect vulnerable endpoints, and implement network Basic Auth API SecurityLearn how Basic Auth works in APIs, common misconfigurations that lead to breaches, and concrete hardening techniques toArp Spoofing on AwsLearn how ARP spoofing attacks manifest in Aws environments, how to detect them with middleBrick's black-box scanning, aArp Spoofing on AzureLearn how ARP spoofing attacks work in Azure environments and how to detect and prevent them using Azure's native securiHipaa: Arp SpoofingLearn how ARP spoofing threatens HIPAA compliance by exposing ePHI, how middleBrick detects related API risks, and speciGdpr: Arp SpoofingLearn how GDPR risks arise from ARP spoofing via exposed APIs, how middleBrick detects data exposure and encryption flawIso 27001: Arp SpoofingLearn how ISO 27001 controls apply to ARP spoofing risks in API security, including detection via middleBrick and code-lCis: Arp SpoofingLearn how ARP spoofing interacts with API security (Cis), including detection and fixes for unsafe ARP data exposure.Arp Spoofing in Adonisjs with Basic AuthUnderstand ARP spoofing risks with AdonisJS Basic Auth, and apply concrete HTTPS and middleware fixes to protect credentArp Spoofing in Axum with Basic AuthExplains how Arp Spoofing interacts with Axum Basic Auth, and provides concrete HTTPS enforcement code examples.Arp Spoofing in Actix with Basic AuthUnderstand how arp spoofing interacts with Basic Auth in Actix, and apply concrete HTTPS and middleware fixes with code Arp Spoofing in Aspnet with Basic AuthUnderstand how arp spoofing exposes Basic Auth in ASP.NET and apply concrete HTTPS-enforced code fixes to protect creden