Operation Objects Uses Basic Auth
Description
This policy is checking for operation objects in OpenAPI version 2.0 files that are using basic authentication. Basic authentication is a simple authentication scheme built into the HTTP protocol, and involves sending user credentials (username and password) in the headers of a request. It's generally considered insecure for several reasons. Firstly, user credentials are sent as plaintext with basic encoding, making it easy for eavesdroppers to possibly intercept and see the credentials, especially if the request is sent over an unencrypted (i.e., non-HTTPS) connection. Secondly, basic authentication makes your application vulnerable to brute force attacks, as it doesn't incorporate any functionality for limiting login attempts. Overall, using a more secure authentication method, such as token-based or OAuth 2.0 authentication, is recommended.
Code Example
components:
securitySchemes:
BearerAuth: # arbitrary name for the security scheme
type: http
scheme: bearer
bearerFormat: JWT # arbitrary string for documentation purposesRemediation
OpenAPI
A given OpenAPI specification file must not use a Basic Authentication scheme. This ensures that our APIs are not using a less secure authentication method such as Basic Authentication.
To fix the issue, use a more secure authentication method rather than Basic Authentication. One secure alternative is using Bearer Authentication with a JWT token. This requires providing the bearer token for authorization.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1271 |
| Severity | HIGH |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_15 |