Luc H created AMBARI-25588: ------------------------------ Summary: Use basic authentication over HTTP Key: AMBARI-25588 URL: https://issues.apache.org/jira/browse/AMBARI-25588 Project: Ambari Issue Type: Bug Components: test Affects Versions: trnk Reporter: Luc H
Sensitive information like username and password shall not be sent over the cleartext HTTP channel. Basic authentication only obfuscates username/password in Base64 encoding, which can be easily recognized and reversed. The class {{ambari-funtest/src/test/java/org/apache/ambari/funtest/server/AmbariHttpWebRequest.java}} sends username and password in basic authentication over an HTTP connection. Sending username and password using the HTTP protocol violates CWE-522 "Insufficiently Protected Credentials". Although the vulnerable class is in the {{ambari-funtest}} package, as Ambari is a popular repository of Apache that is watched and used by many users and organizations, whose code could be extended and customized, the issue shall be resolved in my opinion. Relevant PR is [#3210](https://github.com/apache/ambari/pull/3210). -- This message was sent by Atlassian Jira (v8.3.4#803005)