I am testing a SOAP web service and the service sends username and password in every request as part of the XML body over SSL. I wanted to object to that and offer Basic Auth. but could not find any logical reason. It feels wrong but I dont know why. Is there any difference between sending credentials with every request to a web service in xml body vs sending them in HTTP header? Note: Using session keys or API keys is not an option for this service.
Asked
Active
Viewed 940 times
1 Answers
2
HTTP Basic Authentication transmits the password in plain text - that is, the text of the password is encoded with Base64 but not hashed or encrypted in any way.
As such, most attack vectors which would successfully retrieve the password from the body would also be able to retrieve it from the HTTP header. Both will be equally protected by TLS, which will encrypt both the headers and body of the request.
However, it is possible that incorrectly configured logging or proxying might leak one part of the request without the other. For instance, a system might log the request and response bodies for debugging purposes; however, it might also log the headers, so both would be equally vulnerable. Indeed, there might be code to mask sensitive data in the request body, which fails to do so when logging headers.
In short, I would suggest that both are equally secure / insecure, and only a more complex authentication scheme (e.g. hashing a nonce and timestamp with a shared secret) would improve matters.
IMSoP
- 3,780
- 1
- 15
- 19