Basic Auth

Basic Authentication (Basic Auth) is a simple and commonly used method for securing web resources and APIs. The client authenticates by sending a username and password in the HTTP request header. These credentials are base64-encoded before transmission.

Configurations

Basic Auth mechanism has the following configurations:

Configuration	Description
Username	The username of the user or the application.
Password	The password for the user or application.
Header Value Template (Optional)	Basic Authentication works by directly encoding the `username:password` pair into a base64 string and replacing it in the `Authorization` header, `{{value}}` placeholder: `Authorization: Basic {{value}}`

Configuration

Description

Username

The username of the user or the application.

Password

The password for the user or application.

Header Value Template (Optional)

Basic Authentication works by directly encoding the username:password pair into a base64 string and replacing it in the Authorization header, {{value}} placeholder:

Authorization: Basic {{value}}

Example

The following are some samples that you can use to configure the Basic Auth mechanism in the Advanced mode:

Sample 1

import base64

def basic_auth_hook(scanctx: ScanContext, pluginctx: PluginContext, testcase: TestCase, **kwargs) -> list[Assertion]:
    attributes = testcase.get_attributes()
    username = "TOKEN_VALUE
    password = "TOKEN_VALUE"
    # set user
    normal_user = True
    bola_user = False
    # Encode the credentials in Base64
    auth_string = base64.b64encode(f"{username}:{password}".encode()).decode()
    header_value = "Basic %s" % auth_string
    attributes.set("mutated.auth.attribute", "mutated.http.request.header.authorization")
    attributes.delete("mutated\\.http\\.request\\.cookie", regex=True)
    attributes.delete("mutated.http.request.header.cookie")


    #attributes.set("mutated.role.user", username)
    attributes.set("mutated.http.request.header.authorization", header_value)
    return []

Sample 2

import base64

def basic_auth_hook(scanctx: ScanContext, pluginctx: PluginContext, testcase: TestCase, **kwargs) -> list[Assertion]:
    attributes = testcase.get_attributes()
    username = "TOKEN_VALUE"
    password = "TOKEN_VALUE"
    logger.info("Invoked zendesk custom auth for url" + attributes.get_one("mutated.http.request.url", "") + " and plugin " + pluginctx.get_plugin())
    header_value_format = "Basic {{value}}"
    # set user
    normal_user = True
    bola_user = False
    # Encode the credentials in Base64
    auth_string = base64.b64encode(f"{username}:{password}".encode()).decode()
    header_value = header_value_format.replace("{{value}}", str(auth_string))
    attributes.set("mutated.auth.attribute", "mutated.http.request.header.Authorization")

    if normal_user:
        attributes.set("mutated.role.user", header_value)
        attributes.set("mutated.http.request.header.Authorization", header_value)
    if bola_user:
        attributes.set("mutated.role.bolauser", header_value)
    return []